Application Error Handling: Tips for Avoiding Death by a Thousand Cuts

By Bryan Sullivan and Billy Hoffman, SPI Dynamics

When an application error occurs, whether due to user input or an internal function, software developers want to present an error message that will help the end user correct the problem. But by providing overly detailed application error messages, you can actually be opening your site to hackers. Sometimes, it is a seemingly innocuous piece of information in an application error message that provides an attacker with the last bit of information he needs to launch a devastating attack.

Here are some practical tips for ensuring that you're providing the right amount of information to the right people.