WebApp Sec mailing list archives
Re: Prevent security bypass
From: Alex Russell <alex () netWindows org>
Date: Thu, 6 Feb 2003 12:02:15 -0600
On Thursday 06 February 2003 08:49, TUER, DON wrote:
Number one recommendation is to upgrade to ASP.NET. It has build in form authentication and can secure pages at any level.
I'm having a hard time buying this argument, mainly because .NET is entirely new code. I don't care what kind of religion Redmond says it's found, the proof is in the pudding, and the pudding is stilling telling us that it takes at least 3 releases for MS to get to anything approaching functionally secure. The development community at large has been bitten enough times that we should, frankly, know better. Anyone doing code audits will tell you that if you want to find problems with some code, you look at the newest code first. So to get some level of protection from a now standard feature, you are suggesting introducing an entirely new level of complexity and a set of technologies he/she is even less likely to understand than the tools he/she is already using? Seems the tradeoff there isn't very good from a security standpoint. If the poster isn't already tied to .NET, having them move to an immense new chunk of beta-quality code seems like a dubious suggestion, IMO. -- Alex Russell alex () netWindows org alex () SecurePipe com
Current thread:
- RE: HTTP Header and POST Data Exploitation, (continued)
- RE: HTTP Header and POST Data Exploitation Indian Tiger (Feb 09)
- Re: Prevent security bypass Ken Rachynski (Feb 04)
- RE: Prevent security bypass David Cameron (Feb 04)
- RE: Prevent security bypass Vinny Bedus (Feb 05)
- Re: Prevent security bypass Chris Travers (Feb 05)
- RE: Prevent security bypass Vinny Bedus (Feb 05)
- RE: Prevent security bypass Logan F.D. Greenlee (Feb 05)
- RE: Prevent security bypass Kim Christiansen (Feb 05)
- RE: Prevent security bypass Mark Mcdonald (Feb 05)
- Re[2]: Prevent security bypass M. Austin Hill (Feb 05)
- RE: Prevent security bypass TUER, DON (Feb 06)
- Re: Prevent security bypass Alex Russell (Feb 06)
- Re: Prevent security bypass Adrian Wiesmann (Feb 06)
- Re: Prevent security bypass Chris Travers (Feb 07)