WebApp Sec mailing list archives
RE: Finally - Curphey award 2004 to SPI Dynamics
From: <PPowenski () oag com>
Date: Tue, 29 Jun 2004 15:59:36 +0100
In addition to the points below..... Even though Security awareness should be provided to developers to understand the implication of creating code it should not be as heavy burden as it is turning into. The aesoteric aspects that some of the attacks take and the combination of events to gain access is an entirely different stream of thought that Developers ususally do not focus on. At least the ones I have come across. the core problem related to security with all the api's, tools, scripting engines, and compilers can be attributed to those who created them for developers to create code. If a developer has to engage in working out for himself the complex issues of using the api and where it touches the system, its access control mechanisms, and paths to network then the burden detracts significantly from getting the job done. Understanding these aspects is a large undertaking in itself. Most manufacturers do not want many folks to know these details as well. If the founders of our set of developer tools had enough insight to consider this it would probably be much better for all of us. just my2c paul -----Original Message----- From: Stan Guzik [mailto:SGuzik () ImmediaTech com] Sent: 29 June 2004 14:26 To: Mads Rasmussen; Mark Curphey Cc: webappsec () securityfocus com; Jeff Williams Subject: RE: Finally - Curphey award 2004 to SPI Dynamics Hello, In my option, whatever it is worth, developers are burdened with countless issues like security, performance, stability, and etc... Whenever we can encapsulate security items like input/output validations and not have the developer spend lots of time on it the better. Developers should spend time on features and functionality of software and less time on the above. As developers we need to get to a point where we have components and procedures that we plug into our software and it takes care of security for us. In an idealistic world developers should not worry about security, one day we'll get there... The more we use security components and the more time we spend improving our components will lead to more secure software. One of my developers attended the OWASP AppSec 2004 conference and came back to me saying "We already do this stuff but he never knew about it..." I incorporated the OWASP Guide into our development procedures and my developers just followed our standards. As a manager I felt proud. Does anyone know of any open source components like the one developed by SPI? Thanks, Stan Guzik -----Original Message----- From: Mads Rasmussen [mailto:mads () opencs com br] Sent: Tuesday, June 29, 2004 7:47 AM To: Mark Curphey Cc: webappsec () securityfocus com; Jeff Williams Subject: Re: Finally - Curphey award 2004 to SPI Dynamics Mark Curphey wrote:
Here I am, depressed at the prospect of filling in mountains of
expense
claims from weeks of traveling and approving mundane mails to
webappsec
about XSS after XSS and along comes a shining light. At last an
"application
security" company that gets it ! Hats of to the folks at SPI and the
Curphey
Award for 2004 for leading the industry down the right path ! http://biz.yahoo.com/prnews/040628/clm006_1.html
Here is another link http://www.eweek.com/article2/0,1759,1617901,00.asp I don't know about you guys but I have a bad feeling about this. I am not sure this is the right path. The article quotes Caleb Sima, founder and chief technology officer of SPI Dynamics saying "It doesn't require developers to learn about security," - "You really just need to validate input to eliminate most application vulnerabilities." Shouldn't you at least have a feeling for where the developers makes their mistakes to be able to insert the right piece of secure code? By all means it looks like a cool product, but how much can we trust it? One of its features is, qoute "Input Validation objects will check incoming data on web forms to validate user-supplied input against a set of rules and prevent parameter manipulation exploits, such as SQL Injection attacks." Can we trust these "set of rules". If they opened their technology, the OWASP team could contribute rules to such a database and then we just might get somewhere by having a list of f.ex regular expressions for using the validator classes in .Net or input validation in general but that would probably not happen. I am concerned that products like this just leads to lazy developers. Jeff what do you think about this? You wanted to start an input validation project based on filters, a database like described above would be quite handy :o) Just my two bits -- Mads Rasmussen, M.Sc. Open Communications Security www.opencs.com.br +55 11 3345 2525
Current thread:
- Finally - Curphey award 2004 to SPI Dynamics Mark Curphey (Jun 28)
- Re: Finally - Curphey award 2004 to SPI Dynamics Mads Rasmussen (Jun 29)
- RE: Finally - Curphey award 2004 to SPI Dynamics Mark Curphey (Jun 29)
- Re: Finally - Curphey award 2004 to SPI Dynamics wirepair (Jun 29)
- <Possible follow-ups>
- RE: Finally - Curphey award 2004 to SPI Dynamics Stan Guzik (Jun 29)
- Re: Finally - Curphey award 2004 to SPI Dynamics Daniel Cuthbert (Jun 29)
- RE: Finally - Curphey award 2004 to SPI Dynamics Thomas Ryan (Jun 29)
- Re: Finally - Curphey award 2004 to SPI Dynamics Daniel Cuthbert (Jun 29)
- RE: Finally - Curphey award 2004 to SPI Dynamics Madsen, Villy (Jun 29)
- The Right Approach to Web Developer Education Mark Curphey (Jun 29)
- RE: The Right Approach to Web Developer Education Yvan Boily (Jun 29)
- The Right Approach to Web Developer Education Mark Curphey (Jun 29)
- RE: Finally - Curphey award 2004 to SPI Dynamics PPowenski (Jun 29)
- Re: Finally - [Logical vs. Technical] was Curphey award 2004 to SPI Dynamics Jeremiah Grossman (Jun 29)
- RE: [Logical vs. Technical] was Curphey award 2004 to SPI Dynamics Arian J. Evans (Jun 30)
- Re: [Logical vs. Technical] was Curphey award 2004 to SPI Dynamics Jeremiah Grossman (Jun 30)
- Re: Finally - [Logical vs. Technical] was Curphey award 2004 to SPI Dynamics Jeremiah Grossman (Jun 29)
- Re: Finally - Curphey award 2004 to SPI Dynamics Mads Rasmussen (Jun 29)
- RE: Finally - Curphey award 2004 to SPI Dynamics Madsen, Villy (Jun 29)