SC-L Digest, Vol 6, Issue 56

[platsakos at gmail.com (AK)]

It is way easier for attackers to reverse engineer desktop applications
than web applications. Assuming proper server configuration, it is next
to impossible for an attacker to get the server side source code or
compressed form (e.g WARs) for a web application and proceed with
disassembly/decompilation/patching. I do not have any experience with
obfuscating or otherwise armoring executables created from scripting
languages (such as win32's py2exe) but I would venture a guess that it
would be tedious and less effective than armoring a C/C++ based executable.

To turn the argument the other way round, if we accept what you say as
correct within the realm of web applications, the Ruby-On-Rails and
Django guys (to name but two) are in a serious folly and are not able to
provide secure frameworks owing to their choice of scripting languages.
I, for one, do not that this is the case :-)

sc-l-request at securecoding.org wrote:

Message: 6 Date: Thu, 18 Mar 2010 15:11:29 -0400 From: ljknews
<ljknews at mac.com> To: sc-l at securecoding.org Subject: Re: [SC-L] market
for training CISSPs how to code (Matt, Parsons) Message-ID:
<p05200f40c7c82b12ba95@[146.115.107.213]> Content-Type: text/plain;
charset=us-ascii At 7:36 PM +0200 3/18/10, AK wrote:

> > Who says so, in the context of web applications?
> > I can see it (somewhat) from a "desktop" application
> > perspective, but how is this relevant in web apps?
>   

Why should standards for a "web" application be different than
for a "desktop" application ?
-- Larry Kilgallen