Part II: Asymmetric Warfare
The control of a large force is the same principle as the control of a few men: it is merely a question of dividing up their numbers. Fighting with a large army under your command is nowise
different from fighting with a small one: it is merely a question
of instituting signs and signals.
—Sun Tzu in The Art of War
The web application security industry has been often compared to the early years of the automobile industry with regard to the lack of mandated security controls such as seatbelts and airbags. Experts rightfully point out that today's web applications are much like the cars of yester-year in that the focus is on features and not on the safety of the users. While there are similarities between the safety evolutions of these two industries, I want to focus on one specific marketing campaign that was used to promote the Porsche Boxster automobile. Within a print advertisement in an automobile magazine, Porsche presented the following text:
“Newcaritis.” That’s a technical term for the unanticipated problems that show up in early production cars. No matter how large the automaker, how vaunted its reputation, how extensive its pre-production testing program or how clever its engineering staff, there’s nothing like putting several thousand cars in the devilish little hands of the public to uncover bugs that the engineers never dreamed of.
This scenario is not unique to the automobile industry. Just as new, unforeseen defects and bugs are found when production vehicles are first given to actual drivers, the same results inevitably happen when new web applications are released within production. We are all suffering from Newappitis! Even though organizations attempt to weed out vulnerabilities within their web applications before they are put into production, problems still remain. There is just no practical way to duplicate all of the possible ways in which real clients will interact with them once they are in production. The point is that you must have mechanisms in place to identify if and when your clients and web applications are acting abnormally.
In Part I of the book, the recipes focused on various methods of preparing the web application and platform for detecting problems in production. In Part II of the book, we now turn our attention from preparation to active detection. These recipes will help us to identify problems such as clients submitting data that is outside the expected profile or when web applications respond in an abnormal manner such as returning detailed error messages.