Secure Coding mailing list archives
RE: Standards for security
From: Nick Lothian <nl () essential com au>
Date: Wed, 14 Jan 2004 00:09:47 +0000
I guess my concern is that the size of the problem is not really well known, because so much of it is held secret. What percentage of customer databases out there are vulnerable? Is it the sort of number you could begin to figure out, or would it simply be a best guess?
The question isn't how many customer databases are vulnerable - the question is how vulnerable they are and to what kind of attack. It is one thing to have a database exposed to a malicious DBA, but it should cause a lot more concern if you can get customers credit card numbers via SQL injection from the web.
To what extent is this standard a fact, and to what extent is it a goal?
I think an increasing number of customers expect "best practice" for security. The definition of "best practice" is tricky of course, but often includes the OWASP guidelines. Nick
Current thread:
- Standards for security Gene Spafford (Jan 11)
- Re: Standards for security Jeff Williams @ Aspect (Jan 12)
- RE: Standards for security Alun Jones (Jan 13)
- <Possible follow-ups>
- RE: Standards for security Nick Lothian (Jan 13)
- Re: Standards for security Jeff Williams @ Aspect (Jan 12)