WebApp Sec mailing list archives
Re: Web 2.0 support group
From: "Catherine Pagliaro" <cc () csfm com>
Date: Wed, 9 Sep 2009 13:11:20 -0700 (PDT)
The Payment Card Industry Security Standards and Payment Application Data Security Standards attempt to get programmers to code securely. I underline attempt. We as payment application developers must follow owasp.org standards and common sense security best business practises for developing any type of code, hardening servers and locking down network systems,as well as assuring our physical environments are locked down to maintain our PCI DSS compliance. As we do these types of assessments it is frightening the lack of education and training on all aspects of physical and IT application development and hosting security. Education, training and attention to security best business practises for all types of software and languages is necessary to minimize the rising criminal activity. PCI DSS and the other security requirements for doing business online is just the first small step to getting all applications coded securely to avoid data loss, fraud and identity theft. We also need a committment from all application developers to code securely...as we have a committment from security professionals, law enforcement, the card associations and payment service providers and acuirting facilities to make this happen...Go to the PCI Security Standards website - you can google it...it is a first start at getting our industry standardized for coding securely....
Steven M. Christey wrote:So I've been an observer of the "Web 2.0 is a security nightmare" camp with the occasional head nods and detached agreement, being enough of a generalist that I didn't have anything to add to the alarms raised by the specialists. Where is the support group for those who have recently realized just how desperate the situation is? I'm not being entirely facetious. Is there any hope at all? - Steve1. No, but there is no hope for generalized security apart from "Web 2.0" either. There is only risk reduction. 2. Stop complaining about Web 2.0. Really. It doesn't exist. There are security problems specific to JSON, AJAX, REST, SOAP, FLEX, social networking, P2P, etc. If you want to actually discuss the risk, name the risk you're interested in. Web 2.0 doesn't mean anything we can discuss like rational people. Same goes for "the Cloud". Steve -- | Steven E. Pinkham | | Security Researcher, Maven Security | | steve.pinkham () mavensecurity com | | GPG public key ID CD31CAFB |
Catherine Pagliaro, B.B.A., CEO, C.N. Wylie Group Inc. 703 - 889 West Pender, Vancouver, BC V6C3B2 #13 - 465 King Street East, Toronto, On, M5A1L6 Tel: 1 800 811-7811 Toronto Tel: 905 910-0575 www.cnwylie.com PRIVILEGE AND CONFIDENTIALITY NOTICE This electronic transmission, including all attachments, is directed in confidence solely to the person(s) to which it is addressed, or an authorized recipient, and may not otherwise be distributed, copied, printed or disclosed. If you have received this electronic transmission in error, please notify the sender immediately by return electronic transmission and then immediately delete this transmission, including all attachments, without copying, printing, distributing or disclosing same. Thank you.
Current thread:
- Web 2.0 support group Steven M. Christey (Sep 09)
- Re: Web 2.0 support group Steve Pinkham (Sep 09)
- Re: Web 2.0 support group Catherine Pagliaro (Sep 09)
- Re: Web 2.0 support group Steve Pinkham (Sep 09)