Re: Finally - Curphey award 2004 to SPI Dynamics

["wirepair" <wirepair () roguemail net>]

Good point,
One problem, the developers that make these mistakes/don't code properly are ALREADY LAZY. Otherwise we wouldn't 
have this insane amount of a problem to begin with. Or they were just never taught to code securely which is 
more likely the case... The fact that they are using this product most likely *will*
make them think about security. And if they don't, as they say, this product will protect against 70%
of common mistakes. (uhm that 30% kinda worries me but at least they are being realistic :D). I also
like the idea of OWASP doing something like you mentioned but uhm, who are we to tell them what to do :D.

So basically, if they programmers are lazy this will protect them in some sense. If they aren't, it's a nice
tool to augment their code and hopefully reduce the risk of mistakes being made.
just my thoughts...
-wire

On Tue, 29 Jun 2004 08:46:32 -0300
 Mads Rasmussen <mads () opencs com br> wrote:
> Mark Curphey wrote:
> > Here I am, depressed at the prospect of filling in mountains of expense
> > claims from weeks of traveling and approving mundane mails to webappsec
> > about XSS after XSS and along comes a shining light. At last an "application
> > security" company that gets it ! Hats of to the folks at SPI and the Curphey
> > Award for 2004 for leading the industry down the right path !
> >
> > http://biz.yahoo.com/prnews/040628/clm006_1.html
>
> Here is another link http://www.eweek.com/article2/0,1759,1617901,00.asp
>
> I don't know about you guys but I have a bad feeling about this. I am not sure this is the right path.
>
> The article quotes Caleb Sima, founder and chief technology officer of SPI Dynamics saying "It doesn't require developers to 
> learn about security," - "You really just need to validate input to eliminate most application vulnerabilities."
>
> Shouldn't you at least have a feeling for where the developers makes their mistakes to be able to insert the right piece of 
> secure code?
>
> By all means it looks like a cool product, but how much can we trust it?
>
> One of its features is, qoute
> "Input Validation objects will check incoming data on web forms to
> validate user-supplied input against a set of rules and prevent
> parameter manipulation exploits, such as SQL Injection attacks."
>
> Can we trust these "set of rules".
> If they opened their technology, the OWASP team could contribute rules to such a database and then we just might get somewhere by 
> having a list of f.ex regular expressions for using the validator classes in .Net or input validation in general but that would 
> probably not happen.
>
> I am concerned that products like this just leads to lazy developers.
>
> Jeff what do you think about this? You wanted to start an input validation project based on filters, a database like described 
> above would be quite handy :o)
>
> Just my two bits
>
> --
> Mads Rasmussen, M.Sc.
> Open Communications Security
> www.opencs.com.br
> +55 11 3345 2525

--
Visit Things From Another World for the best
comics, movies, toys, collectibles and more.
http://www.tfaw.com/?qt=wmf