Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I think it is something they have to experience. Tell them if they are happy with it, give me a $10 bug bounty. Then go hack a deploy of their branch. Then tell em to keep the $10 but remember the lesson.


Wow. I would never guess it was so hard to convince someone of this.

“The code I write doesn’t have XSS or SQL injection vulnerabilities,” sure. At least those are plausible things to believe.

Client side validation?? How could anybody believe in that?


I convinced fellow engineers who were adamant that the code they had written was OK by writing actual exploits against their code. Twice. Worked both times, without betting on money.


An axiom of secure programming is to never trust the client. You don't really know what the client is.

Often it takes several penetrations via compromised/replaced clients to get the message through.

Just look at all the discussions about why browser-based javascript encryption is problematic.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: