Secure Coding mailing list archives
Re: free lunch almost over
From: "Jeff Williams" <jeff.williams () aspectsecurity com>
Date: Tue, 01 Feb 2005 21:39:24 +0000
Right on! Great article. Concurrency is a huge issue and nowhere more important than web applications. Many many developers are writing web apps and not realizing that they are heavily multithreaded. They develop and test on their desktop in a single-user environment, so they don't see the problems. Even many load testing frameworks will not exercise a concurrency problem, as they don't tend to send a wide variety of requests. We've found these problems in web applications of every flavor. And they *are* being experienced by customers. Imagine that once in a great while, a user just gets another user's account page. Then after a refresh it's gone and everything is working fine. Very difficult to find or reproduce for maintenance programmers. One of our customers had exactly this problem in their application and it was uncovered by a user who happened to report it. If you're interested, there's a lesson in WebGoat at OWASP that teaches developers about these flaws and how to avoid them. --Jeff ----- Original Message ----- From: "Gunnar Peterson" <[EMAIL PROTECTED]> To: "Secure Coding Mailing List" <[EMAIL PROTECTED]> Sent: Tuesday, February 01, 2005 2:10 PM Subject: [SC-L] free lunch almost over If you do the math on what comes next after the processor manufacturers' free lunch is over, the implications to concurrency, security, and privacy are huge: http://www.gotw.ca/publications/concurrency-ddj.htm How do traditional security mechanisms function in a massively concurrent world? How relevant are they? What new security designs are needed? Is it too late to bail and head for academia? -gp
Current thread:
- free lunch almost over Gunnar Peterson (Feb 01)
- Re: free lunch almost over Jeff Williams (Feb 01)
- Re: free lunch almost over ljknews (Feb 01)
- Re: free lunch almost over Jeff Williams (Feb 01)
- Re: free lunch almost over ljknews (Feb 02)
- Re: free lunch almost over Jeff Williams (Feb 02)
- Re: free lunch almost over ljknews (Feb 02)
- Re: free lunch almost over ljknews (Feb 01)
- Re: free lunch almost over Jeff Williams (Feb 01)
- <Possible follow-ups>
- Re: free lunch almost over Steven M. Bellovin (Feb 01)
- Re: free lunch almost over Gunnar Peterson (Feb 01)
- Re: free lunch almost over Carl G. Alphonce (Feb 02)
- RE: free lunch almost over Wall, Kevin (Feb 02)