Google: hack our app
By Stuart Turton
Posted on 5 May 2010 at 16:16
Google has released a free tutorial that allows developers to play the role of hackers, as it seeks to educate people on the perils of buggy code.
At the heart of the tutorial is a "small, cheesy web application" dubbed Jarlsberg that is riddled with bugs that could be exploited to take down webservers and perform remote code-execution attacks.
You should use what you learn from the codelab to make your own applications more secure. You should not use it to attack any applications other than your own
The application can be downloaded to a local, secure machine along with a guide containing a list of exercises intended to show people how the holes in Jarlsberg can be exploited, and how to identify them within the code and secure them.
The app is being released through Google Labs and Google Code University, and comes with a strongly worded disclaimer.
"Accessing or attacking a computer system without authorisation is illegal in many jurisdictions," the company notes.
"You should use what you learn from the codelab to make your own applications more secure. You should not use it to attack any applications other than your own, and only do that with permission from the appropriate authorities (e.g., your company's security team)," it concludes.
From around the web
Eh!
Well done Google another generation of hackers spawned
By delturner1 on 6 May 2010 
About time...
Delturner1, having worked as a security consultant and a trouble-shooter, fixing web sites, it is amazing how few developers actually know how to generate a secure website.
At my last 2 jobs, I actually ended up running teams to go through websites we had developed and find as many security holes as possible. I also had to run training sessions for our developers to go over the basics, like escape strings before passing them to a database!
These are the basics, which every developer should know, before getting anywhere near a website. But unfortunately, very few are trained in writing secure code, or even efficient code, they are just taught to write "elegant" (aka pretty) code, they are marked on ease of reading and maintainability, but they are not marked on security or efficiency.
Even simple things, like "always test a positive answer (where possible)" isn't taught anymore.
Escaping text, checking for buffer overflows etc. are also not on the curriculum for most developers.
The web is a dangerous place. Using the old adage of turning up to a gun fight, most web developers aren't turning up with a knife, they are turning up with a stick of butter!
By big_D on 6 May 2010
advertisement
- Laptop bag reviews: nine tested
- Sony VAIO T Series Ultrabook review: first look
- Revealed: the military standards and robots HP uses to test its laptops
- Windows 8: multi-monitors and double standards?
- Why is TalkTalk's year-old porn filter suddenly big news?
- Why are laptop screens so far behind mobiles?
- HP EliteBook Folio review: first look
- The shoebox-sized all-in-one printer
- Forget the Ultrabook: here comes the HP Sleekbook
- HP Spectre XT review: first look
- Why you have to be left in the dark on OS patches
- Publishing your email address isn't a security disaster
- Why antivirus is fighting a losing battle in your office
- Four year olds used to steal their parents' data
- An acceptable use policy for your kids
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
advertisement
