Behind nearly every security vulnerability, is a poorly written piece of software.  The way to fix that is to write better code.

As a start, groups like OWASP are trying to make the world a better place via getting developers more focused on improving the security of application software. The group’s mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. 

I just got a copy of The Tangled Web: A Guide to Securing Modern Web Applications, in which author Michal Zalewski notes that modern web applications are built on a tangle of technologies that have been developed over time and then haphazardly pieced together.  

In the book he explains how browsers work and what makes them insecure. The book shows what needs to be done to fill in the gaps in order to create secure web applications. 

Zalewski is the author of Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks, a fascinating text on how vulnerable networks are.  The book came out 7 years ago.  If it is any indication of the quality of The Tangled Web: A Guide to Securing Modern Web Applications, then it was definitely worth the wait. 

This looks to be a fascinating and important book. 



Full review to follow.