There still seem to be many people assuming “using SSL” or “keeping the default password secret” to be effective counter measures against becoming compromized. While this is partly true for SSL (correctly implemented this will protect your datas confidentiality and integrety), default passwords are “evil by default”. But you have to take care about every potential attack – and you should take care about the OWASP Top 10.
You might see examples of this in two recent incidents:
- An ATM in Winnipeg has been “hacked” by some 14-year-olds – they simply found the manual online … and that manual not only describes how to enter “administrator mode”, it also contains the default password.
As a developer it should be clear that you need a basic understanding about SSL, authentication methods and encryption, but to produce secure software you also need to understand the risks. Just applying some random counter measures is not what makes your application secure, you need to understand the things that may make your application in-secure – things like default passwords (which are a bad idea by default), XSS, CSRF, injection, etc.