SQL Injection is 90% SQL, WebSec is 90% WebDev

docrice

http://danielmiessler.com/blog/sql-injection-is-90-sql-websec-is-90-webdev

This is what some aspiring security professionals forget. Don't be the guy in infosec who is mega-certified but hasn't mastered anything and doesn't add value. Don't be me.

Zartanasaurus

McAfee detected a virus after browsing to that site...

JDMurray

Did it actually display the name of the virus it detected, or was it just a warning that the server at that address is known to be malicious? I hit the site on a computer running McAfee Enterprise, and with NoScript running in FF3, and received no such warning.

chrisone

Nice reminder article! i do agree we should learn about linux , sql, and web development. However i dont think you need to be a certified expert on these subjects. It helps to know your environment, like knowing which streets to turn to get to your destination but i dont have to know every house address on the block.

Here are some books i was considering to get a better understanding of how websites and SQL function. Let me know if you think these are adequate to have an understanding of the technologies. Please list some of your own, i would like to get an idea of which ones are good to read and if this list is overkill lol I am not interested in buying all of them , just 2 or 3 from his list i guess.

Amazon.com: Beginning PHP and MySQL: From Novice to Professional (Expert's Voice in Web Development) (9781430231141): W. Jason Gilmore: Books
Amazon.com: PHP 6 and MySQL 5 for Dynamic Web Sites: Visual QuickPro Guide (9780321525994): Larry Ullman: Books

I like this one because of the added Apache Server integration studies.
Amazon.com: Sams Teach Yourself PHP, MySQL and Apache All in One (5th Edition) (9780672335433): Julie C. Meloni: Books

Have to get some HTML5 under your belt. Wave of the future for the web IMO.
Amazon.com: Introducing HTML5 (Voices That Matter) (9780321687296): Bruce Lawson, Remy Sharp: Books
Amazon.com: HTML5 Digital Classroom (9781118016183): Jeremy Osborn, AGI Creative Team: Books
Amazon.com: Beginning HTML5 and CSS3 (9781430228745): Christopher Murphy: Books

docrice

While I think most of us get by doing our work without having superb in-depth knowledge about the platforms we support, the blog post makes the case that the more extensive the mastery on a given area, the more effective a security professional can be (provided the right kind of complementing mindset). I fully agree with this as there have been occasions where I could see beyond the intended design of something and knew about it inside-out. I could wrap my viewpoint around the issue (and potential issues) effectively and deliver suggestions accordingly.

The practical reality is that with all the areas many infosec professionals have to cover, it's hard to deliver solutions which considers everything comprehensively. As a generalist, I often end up with half-baked results because my specialization is non-existent, relatively speaking. It's a trade-off though. At the rate things are progressing in technology, it's hard to learn about any given subject extremely well unless one is assigned to it specifically.

By the way, I didn't detect a virus either. I'm running Firefox 5 with NoScript, so if there is a piece of malware involved, it might be through one of the many additional domains that site is tied into. It really annoys me when sites rely on other domains for content functionality (although I understand why site owners do this).