Secure Coding mailing list archives

Survey

From: stephencraig.evans at gmail.com (Stephen Craig Evans)
Date: Tue, 26 Aug 2008 22:41:51 +0800

Hi Jim,

" There are plenty of sites that are perfectly x/html valid that are
completely insecure."

Well, perhaps too many people have been listening to this drumbeat:
"In fact, a non-developer: such as someone in marketing who uses
Dreamweaver, could also do almost as much as a normal WAF by saving their
content as valid XHTML. This would buy the organization basic application
security functionality, which is what WAF also attempts to do."

http://www.tssci-security.com/archives/2008/06/27/week-of-war-on-wafs-day-5-final-thoughts/

I rest my case.
Stephen

On Mon, Aug 25, 2008 at 7:05 AM, Jim Manico <jim at manico.net> wrote:

There are plenty of sites that are perfectly x/html valid that are
completely insecure.

There are plenty of sites that follow perfect w3c and other standards that
are completely insecure.

There are plenty of sites that are top-tier security vendors that, at least
in the past, have been insecure.

- Jim

At 11:11 AM -0400 8/24/08, Paco Hope wrote:

Clearly the survey's content is only of interest if the HTML validates.

The publisher of the web page is not in the security business,
they are in the publishing business. But how can I respect
their publishing expertise if they fail a simple automatic
test.

And how can their target audience of security folk, who depend
strongly on following standards respect the knowledge of a
publisher who does not follow publishing standards.

On Aug 24, 2008, at 9:47 AM, "ljknews" <ljknews at mac.com> <ljknews at mac.com> wrote:

At 2:43 PM -0400 8/22/08, Gary McGraw wrote:

BankInfoSecurity is running a survey on software security that some
of you may be interested in participating in. Try it yourself here:
http://www.bankinfosecurity.com/surveys.php?surveyID=1

Hmmm. http://validator.w3.org says there are 973 errors on that page.

--
Jim Manico, Senior Application Security Engineerjim.manico at aspectsecurity.com | jim at manico.net
(301) 604-4882 (work)
(808) 652-3805 (cell)

Aspect Security?
Securing your applications at the sourcehttp://www.aspectsecurity.com

---------------------------------------------------------------
Management, Developers, Security Professionals ...
... can only result in one thing. BETTER SECURITY.http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
Sept 22nd-25th 2008

_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc -
http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20080826/168c4d3f/attachment.html

Current thread:

Survey Gary McGraw (Aug 22)
- Survey ljknews (Aug 23)
  - Survey Paco Hope (Aug 24)
    - Survey ljknews (Aug 24)
    - Survey Jim Manico (Aug 24)
    - Survey Stephen Craig Evans (Aug 26)
    - Survey Jim Manico (Aug 26)
    - Survey ljknews (Aug 26)
    - Survey Paco Hope (Aug 26)
    - Survey Jim Manico (Aug 26)
    - Message not available
    - Survey ljknews (Aug 24)
    - Survey Romain Gaucher (Aug 26)
- <Possible follow-ups>
- Survey Gary McGraw (Aug 24)