Secure Coding mailing list archives
Survey
From: stephencraig.evans at gmail.com (Stephen Craig Evans)
Date: Tue, 26 Aug 2008 22:41:51 +0800
Hi Jim, " There are plenty of sites that are perfectly x/html valid that are completely insecure." Well, perhaps too many people have been listening to this drumbeat: "In fact, a non-developer: such as someone in marketing who uses Dreamweaver, could also do almost as much as a normal WAF by saving their content as valid XHTML. This would buy the organization basic application security functionality, which is what WAF also attempts to do." http://www.tssci-security.com/archives/2008/06/27/week-of-war-on-wafs-day-5-final-thoughts/ I rest my case. Stephen On Mon, Aug 25, 2008 at 7:05 AM, Jim Manico <jim at manico.net> wrote:
There are plenty of sites that are perfectly x/html valid that are completely insecure. There are plenty of sites that follow perfect w3c and other standards that are completely insecure. There are plenty of sites that are top-tier security vendors that, at least in the past, have been insecure. - Jim At 11:11 AM -0400 8/24/08, Paco Hope wrote: Clearly the survey's content is only of interest if the HTML validates. The publisher of the web page is not in the security business, they are in the publishing business. But how can I respect their publishing expertise if they fail a simple automatic test. And how can their target audience of security folk, who depend strongly on following standards respect the knowledge of a publisher who does not follow publishing standards. On Aug 24, 2008, at 9:47 AM, "ljknews" <ljknews at mac.com> <ljknews at mac.com> wrote: At 2:43 PM -0400 8/22/08, Gary McGraw wrote: BankInfoSecurity is running a survey on software security that some of you may be interested in participating in. Try it yourself here: http://www.bankinfosecurity.com/surveys.php?surveyID=1 Hmmm. http://validator.w3.org says there are 973 errors on that page. -- Jim Manico, Senior Application Security Engineerjim.manico at aspectsecurity.com | jim at manico.net (301) 604-4882 (work) (808) 652-3805 (cell) Aspect Security? Securing your applications at the sourcehttp://www.aspectsecurity.com --------------------------------------------------------------- Management, Developers, Security Professionals ... ... can only result in one thing. BETTER SECURITY.http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20080826/168c4d3f/attachment.html
Current thread:
- Survey Gary McGraw (Aug 22)
- Message not available
- Survey ljknews (Aug 24)
- Survey Romain Gaucher (Aug 26)
- <Possible follow-ups>
- Survey Gary McGraw (Aug 24)