Despite last posts unpleasantness, this morning I woke will a general sense of excitement and optimism. Sure we all know website and browser security is in an abysmal state - vulnerabilities can be identified in most important websites in under 20 minutes and it’s almost impossible to protect yourself from a malicious web page. However, after every conference I attend where I get to talking with people, I get the sense that things are definitely looking up.
Industry groups (WASC and OWASP) are buzzing with activity, mailing list and message board posts are frequent and informative, browser vendors are engaging with the community and asking for public comment, programmers are using modern development frameworks who are also asking the right questions about secure software, and organizational budgets now have web security line items. These are all very good signs. And think it all started with awareness. You can’t fix it if you don’t know what broken.
The only problem is progress never seems to come fast enough. It’s going to take years for before measurable improvements are made. Any browser security architecture change probably won’t come for another full version or two (Firefox 4 and IE 9). It’s also going to take at least 7-10 years before the majority of important Website are replaced by those using modern technology and/or have remediated their current set of issues. This also means there is opportunity to make a real difference – perhaps a few clever people in the crowd have some bright ideas to speed up the process.
And for those already in Web security, this also means there is job security for quite some time. ;)