RE: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)

["Martin O'Neal" <martin.oneal () corsaire com>]

> this is fairly stupid.

LOL; more stupid than vacuous name calling, or less?

> what financial institutions are 
> using floating point and not decimal
> variables to represent their money? 
> very few i'd guess. it hardly needs 
> to be said that anyone using FP 
> variables to do financial maths
> should be shot.

LOL2; unfortunately you have guessed wrong.  Do not pass go.  Do not
collect ukp200.  We see this kind of thing all the time in financial
applications.

> your last recommendation for c# is 
> wrong. == is fine for numbers. your
> test above even proves it!

Er, obviously you have become confused due of the ambiguity of the bit
where it says "This type of caching does not exist in C# as can be seen
from the equivalent code example".

Thanks for the constructive criticism though.  

Martin...

-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------