I was busy implementing a system for a client using C++ on Win32 when I had to use the sprintf function. As I knew it was insecure I looked up the function's details - only to be caught in an infinite web of evasion.
If you had ever written HTML pages sending back form data to a backend server, you must have come across the need to sometimes restrict the user from changing a value - therefore you used a read only form field. This can cause serious trouble...
I had the pleasure of being in a meeting room a few weeks ago in a large, respected company with some of their technical experts discussing the security considerations for a project I am consulting on.
Since I am paranoid about security, I obviously tried to push that they upped the security on the system dramatically (they are hosting it and will eventually take over the responsibility for securing it). It was just so startling to witness their responses to many of my recommendations, that I started to realise exactly how ignorant many people are towards IT security.
