WebApp Sec mailing list archives
RE: Standardized Security Reference Libraries->was-> The Right Approach to Web Developer Education
From: "Arian J. Evans" <arian () anachronic com>
Date: Tue, 29 Jun 2004 21:47:18 -0500
Comments below:
What about the many 'good' and 'bad' programmers who are 'driven' to 'crunch' out code hour to hour. These programmers cannot write security frameworks from scratch.
Well, some can; I've seen it. But,
They need help. Developers don't write GUI controls from scratch anymore. They use toolkits. GUI Toolkits, Security Toolkits, far from failures!
Exactly. I 100% agree. The VB IDE doesn't exist so you can get close to the machine or write snarling lean mean code. A whole lot of companies like the cost of that and the guy who can use it better than a champion C++ or Java developer. And that person isn't like to become a security expert anytime soon, if ever. And I don't see anything wrong with that. After reading this thread I was surprised some people were against security libraries for an IDE. Yes, I know how they fail. And I've seen them succeed. One client I work with regularly has built a very mature proprietary security framework with reusable components (like validation controls). When they have holes in their dozens or hundreds of applications, it's because someone didn't know to use the components, forgot to use them, or thought they used them right and made a /mistake/. Developers almost always have priorities other than security. Someone said it's really a management issue. Yes and no. The business has priorities, and if they don't value the security risks highly or just choose to accept the risk, that's their choice. That said, the most consistently mature environment I've tested and reviewed applications for (and I've tested and reviewed and retested) is the one with the standardized security libraries. It's not a magic bullet, just like scanners. It can provide a false sense of security, just like scanners. But it seems to work most of the time, and when it doesn't work, the problems are more quickly/easily fixed than most places I've seen. Security 'most of the time' is _a_lot_ better than all the places I see that seem to have security none of the time. My $0.01, deprecated for lack of processing power, Arian (Disclaimer: My private opinions do not reflect the thoughts or position of my employer on these subjects. etc. etc.)
Current thread:
- RE: The Right Approach to Web Developer Education Burke, Charles (Jun 29)
- <Possible follow-ups>
- RE: The Right Approach to Web Developer Education Burke, Charles (Jun 29)
- RE: Standardized Security Reference Libraries->was-> The Right Approach to Web Developer Education Arian J. Evans (Jun 30)
- RE: The Right Approach to Web Developer Education Cronican, John (Jun 29)
- RE: The Right Approach to Web Developer Education Wolf, Yonah (Jun 30)