The panel's message was clear: Not only is it important to know what your risks are, but you need to develop a plan to incorporate security in all levels of software development.
Led by moderator Cameron Purdy, president of Somerville, Mass.-based Tangosol, panelists Jeremiah Grossman, Ted Neward, Christopher Steel and Justen Stepka agreed that application security can't be an afterthought. You need a plan from the beginning.
In "Java developers can't afford to ignore app security," the panel's core results are presented as an array of issues to address, rather than actual solutions, but as Ted Neward said, developers don't want to address security, but they need to, and awareness is the first step to making secure applications.
One interesting threat was mentioned a number of times: SQL injection, where SQL text is injected directly from a user application into a string executed on a database. Numerous articles in almost every trade magazine have addressed this issue, in particular (centering around the mantra of "use PreparedStatement instead of Statement," which is sufficient for the majourity of cases) but the continued mention of the problem indicates that injection hasn't gone away.
To be sure, injection has broadened to include Javascript as well, such that malicious users are injecting scripting text in addition to SQL code, but it's strange that SQL injection, which is nearly trivial to eliminate, is still a problem -- which only serves to highlight what the panel's conclusions were.
More resources:
- More on SQL Injection from SearchAppSecurity
- More on cross-site scripting from SearchAppSecurity