Security Concerns in Web Applications
Yesterday, Alex Payne (API lead at Twitter) tweeted about the security issues that reared their ugly heads on Twitter a week or so ago:
PROTIP: if you don’t take the time to do periodic security reviews, you WILL get called out by Bruce Schneier. http://bit.ly/DwGr
He later tweeted a link to his blog post on the subject:
The Thing About Security: http://bit.ly/3gwR
Twitter user bonsai (Keith Williams) responded to Alex’s blog post:
@al3x It’s preposterous to think that your threat model didn’t include auth/msg-bot issues unless you simply didn’t have ANY models at all.
Alex replied:
@bonsai Indeed, we’ve never talked about threat models in a holistic way here. It’s gotta change.
No kidding. The moral of the story is: If you have no internal or external security policy whatsoever and enforce no minimum password strength (i.e., allow admin users to set their passwords to dictionary words), and allow unlimited login attempts, your system WILL be breached; it’s simply a matter of time.