RE: Finally - Curphey award 2004 to SPI Dynamics

["Mark Curphey" <mark () curphey com>]

Mads,

Credit where credit is due. A "black box" scanning company moving towards
helping developers fix problems in the code rather than tell them they have
an issue when its too late and too expensive to fix it. Put the open source
debate aside, where is the downside in that ? They are doing the right thing
and moving in the right direction and I think they should be commended so
others do the same. The industry needs to move towards building better
software. These things are a step in the right direction.

This is of course hardly new. We have had the OWASP Common Library for Java
since 2001 and OWASP also has another Java input validation library called
Stinger (discussed at the OWASP conference). Good developers build libraries
all the time. But this may mark a fundamental shift for a popular scanning
company moving to helping developers to do the right thing rather than
telling them they haven't done the right thing, and I think they should have
a pat on the back.

Clearly an input validation library alone will not secure an application.
Data storage, access control etc all need to be taken care of. There is
nothing stopping any development team building there own but many don't and
so pre-packaged libraries that they can use must be seen as a better
solution for those people. What am I missing here ?
 
And yes there has been has been C# .NET code lurking around OWASP developers
for a while to do this!

-----Original Message-----
From: Mads Rasmussen [mailto:mads () opencs com br] 
Sent: Tuesday, June 29, 2004 7:47 AM
To: Mark Curphey
Cc: webappsec () securityfocus com; Jeff Williams
Subject: Re: Finally - Curphey award 2004 to SPI Dynamics

Mark Curphey wrote:
> Here I am, depressed at the prospect of filling in mountains of 
> expense claims from weeks of traveling and approving mundane mails to 
> webappsec about XSS after XSS and along comes a shining light. At last 
> an "application security" company that gets it ! Hats of to the folks 
> at SPI and the Curphey Award for 2004 for leading the industry down the
right path !
> http://biz.yahoo.com/prnews/040628/clm006_1.html

Here is another link http://www.eweek.com/article2/0,1759,1617901,00.asp

I don't know about you guys but I have a bad feeling about this. I am not
sure this is the right path.

The article quotes Caleb Sima, founder and chief technology officer of SPI
Dynamics saying "It doesn't require developers to learn about security," -
"You really just need to validate input to eliminate most application
vulnerabilities."

Shouldn't you at least have a feeling for where the developers makes their
mistakes to be able to insert the right piece of secure code?

By all means it looks like a cool product, but how much can we trust it?

One of its features is, qoute
"Input Validation objects will check incoming data on web forms to validate
user-supplied input against a set of rules and prevent parameter
manipulation exploits, such as SQL Injection attacks."

Can we trust these "set of rules".
If they opened their technology, the OWASP team could contribute rules to
such a database and then we just might get somewhere by having a list of
f.ex regular expressions for using the validator classes in .Net or input
validation in general but that would probably not happen.

I am concerned that products like this just leads to lazy developers.

Jeff what do you think about this? You wanted to start an input validation
project based on filters, a database like described above would be quite
handy :o)

Just my two bits

--
Mads Rasmussen, M.Sc.
Open Communications Security
www.opencs.com.br
+55 11 3345 2525