WebApp Sec mailing list archives
Re: Finally - Curphey award 2004 to SPI Dynamics
From: "wirepair" <wirepair () roguemail net>
Date: Tue, 29 Jun 2004 05:19:03 -0800
Good point,One problem, the developers that make these mistakes/don't code properly are ALREADY LAZY. Otherwise we wouldn't have this insane amount of a problem to begin with. Or they were just never taught to code securely which is more likely the case... The fact that they are using this product most likely *will*
make them think about security. And if they don't, as they say, this product will protect against 70% of common mistakes. (uhm that 30% kinda worries me but at least they are being realistic :D). I also like the idea of OWASP doing something like you mentioned but uhm, who are we to tell them what to do :D. So basically, if they programmers are lazy this will protect them in some sense. If they aren't, it's a nice tool to augment their code and hopefully reduce the risk of mistakes being made. just my thoughts... -wire On Tue, 29 Jun 2004 08:46:32 -0300 Mads Rasmussen <mads () opencs com br> wrote:
Mark Curphey wrote:Here I am, depressed at the prospect of filling in mountains of expense claims from weeks of traveling and approving mundane mails to webappsec about XSS after XSS and along comes a shining light. At last an "application security" company that gets it ! Hats of to the folks at SPI and the Curphey Award for 2004 for leading the industry down the right path ! http://biz.yahoo.com/prnews/040628/clm006_1.htmlHere is another link http://www.eweek.com/article2/0,1759,1617901,00.asp I don't know about you guys but I have a bad feeling about this. I am not sure this is the right path.The article quotes Caleb Sima, founder and chief technology officer of SPI Dynamics saying "It doesn't require developers to learn about security," - "You really just need to validate input to eliminate most application vulnerabilities."Shouldn't you at least have a feeling for where the developers makes their mistakes to be able to insert the right piece of secure code?By all means it looks like a cool product, but how much can we trust it? One of its features is, qoute "Input Validation objects will check incoming data on web forms to validate user-supplied input against a set of rules and prevent parameter manipulation exploits, such as SQL Injection attacks." Can we trust these "set of rules".If they opened their technology, the OWASP team could contribute rules to such a database and then we just might get somewhere by having a list of f.ex regular expressions for using the validator classes in .Net or input validation in general but that would probably not happen.I am concerned that products like this just leads to lazy developers.Jeff what do you think about this? You wanted to start an input validation project based on filters, a database like described above would be quite handy :o)Just my two bits -- Mads Rasmussen, M.Sc. Open Communications Security www.opencs.com.br +55 11 3345 2525
-- Visit Things From Another World for the best comics, movies, toys, collectibles and more. http://www.tfaw.com/?qt=wmf
Current thread:
- Finally - Curphey award 2004 to SPI Dynamics Mark Curphey (Jun 28)
- Re: Finally - Curphey award 2004 to SPI Dynamics Mads Rasmussen (Jun 29)
- RE: Finally - Curphey award 2004 to SPI Dynamics Mark Curphey (Jun 29)
- Re: Finally - Curphey award 2004 to SPI Dynamics wirepair (Jun 29)
- <Possible follow-ups>
- RE: Finally - Curphey award 2004 to SPI Dynamics Stan Guzik (Jun 29)
- Re: Finally - Curphey award 2004 to SPI Dynamics Daniel Cuthbert (Jun 29)
- RE: Finally - Curphey award 2004 to SPI Dynamics Thomas Ryan (Jun 29)
- Re: Finally - Curphey award 2004 to SPI Dynamics Daniel Cuthbert (Jun 29)
- RE: Finally - Curphey award 2004 to SPI Dynamics Madsen, Villy (Jun 29)
- The Right Approach to Web Developer Education Mark Curphey (Jun 29)
- RE: The Right Approach to Web Developer Education Yvan Boily (Jun 29)
- The Right Approach to Web Developer Education Mark Curphey (Jun 29)
- RE: Finally - Curphey award 2004 to SPI Dynamics PPowenski (Jun 29)
- Re: Finally - [Logical vs. Technical] was Curphey award 2004 to SPI Dynamics Jeremiah Grossman (Jun 29)
- RE: [Logical vs. Technical] was Curphey award 2004 to SPI Dynamics Arian J. Evans (Jun 30)
- Re: [Logical vs. Technical] was Curphey award 2004 to SPI Dynamics Jeremiah Grossman (Jun 30)
- Re: Finally - [Logical vs. Technical] was Curphey award 2004 to SPI Dynamics Jeremiah Grossman (Jun 29)
- Re: Finally - Curphey award 2004 to SPI Dynamics Mads Rasmussen (Jun 29)