Security Basics mailing list archives
RE: CGI security vs ASP security
From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 14 Apr 2003 12:50:38 -0700
-----Original Message----- From: Jens Porup [mailto:jens () cyber com au] On Thu, Apr 10, 2003 at 12:52:19PM -0400, Teodorski, Chris wrote:I am looking for some opinions on whether ASP is inherently more secure than CGI? Or is it just easier to implement ASP securely......and securing CGI takes work and knowledge.......CGI is a protocol, ASP is a language... ASP is a crap Microsoft product I wouldn't use to add one and one.... if by CGI you mean Perl, then yes, Perl is a *good thing*
Perhaps a little more to the point: ASP, I believe, runs as a DLL within the webserver application's process space; CGI is a protocol to invoke external programs. So there's a potential for ASP to kill/cripple/compromise the server process itself that is greatly reduced by using CGI. But both of these involve server-side code. Getting mal code onto the server in the first place is the first hurdle; if you let people do that, you're no longer in control of whether it uses ASP or CGI. David Gillett ------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. www.blackhat.com -------------------------------------------------------------------
Current thread:
- CGI security vs ASP security Teodorski, Chris (Apr 11)
- Re: CGI security vs ASP security Jens Porup (Apr 14)
- Re: CGI security vs ASP security Corey Schaffer (Apr 15)
- RE: CGI security vs ASP security David Gillett (Apr 15)
- RE: CGI security vs ASP security Sarbjit Singh Gill (Apr 17)
- Re: CGI security vs ASP security Steven J. Sobol (Apr 22)
- <Possible follow-ups>
- Re: CGI security vs ASP security Rodriguez, Manuel (Apr 15)
- RE: CGI security vs ASP security Kline, Nathan C - CIEP-3 (Apr 15)
- Re: CGI security vs ASP security Jens Porup (Apr 16)
- RE: CGI security vs ASP security Jon Pastore (Apr 17)
- Re: CGI security vs ASP security Jens Porup (Apr 16)
- RE: CGI security vs ASP security Kline, Nathan C - CIEP-3 (Apr 17)
- Re: CGI security vs ASP security Jens Porup (Apr 14)