RE: CGI security vs ASP security

["David Gillett" <gillettdavid () fhda edu>]

> -----Original Message-----
> From: Jens Porup [mailto:jens () cyber com au]
>
> On Thu, Apr 10, 2003 at 12:52:19PM -0400, Teodorski, Chris wrote:
> > I am looking for some opinions on whether ASP is inherently more
> > secure than CGI? Or is it just easier to implement ASP
> > securely......and securing CGI takes work and knowledge.......
>
> CGI is a protocol, ASP is a language... ASP is a crap 
> Microsoft product
> I wouldn't use to add one and one.... if by CGI you mean 
> Perl, then yes,
> Perl is a *good thing*

  Perhaps a little more to the point:

  ASP, I believe, runs as a DLL within the webserver application's
process space; CGI is a protocol to invoke external programs.  So
there's a potential for ASP to kill/cripple/compromise the server
process itself that is greatly reduced by using CGI.
  But both of these involve server-side code.  Getting mal code
onto the server in the first place is the first hurdle; if you let
people do that, you're no longer in control of whether it uses ASP
or CGI.

David Gillett



-------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  www.blackhat.com
-------------------------------------------------------------------