Secure Coding mailing list archives
Re: Re: Application Insecurity --- Who is at Fault?
From: Michael Silk <michaelslists () gmail com>
Date: Tue, 12 Apr 2005 04:23:49 +0100
Joel On Apr 12, 2005 12:45 AM, Joel Kamentz <[EMAIL PROTECTED]> wrote:
Re: bridges and stuff. Let's use an example someone else already brought up -- cross site scripting. How many people feel that, before it was ever known or had ever occurred the first time, good programming practices should have prevented any such vulnerability from ever happening? I actually think that would have been possible for the extremely skilled and extremely paranoid. However, we're asking people to protect against the unknown.
I would be of the opinion that good programming practices should have prevented it. And it doesn't take a 'really skilled' programmer either, it's really simple - you are writing your input into some context; so make sure your input isn't allowed to escape into another context. I.e. You are taking _text_ and displaying it as _text_. It could take on the context of _html_. You don't want this, so you escape the _html_ special characters so it always display as _text_.
I don't have experience with the formal methods, but I can see that, supposing this were NASA, etc., formal approaches might lead to perfect protection. However, all of that paranoia, formality or whatever takes a lot of time, effort and therefore huge economic impact.
I don't see that. If we are just talking about the 'programming' part and not the 'desigining' part it's really pretty straight-forward to do what is required.
I guess my personal opinion is that unit testing, etc. are great shortcuts (compared to perfect) which help reduce flaws, but with lesser expense.
You would still use these things. -- Michael
Current thread:
- Re: Application Insecurity --- Who is at Fault?, (continued)
- Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 06)
- Re: Application Insecurity --- Who is at Fault? Jeff Williams (Apr 06)
- Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 06)
- Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 06)
- Re: Re: Application Insecurity --- Who is at Fault? Dave Paris (Apr 11)
- Re: Re: Application Insecurity --- Who is at Fault? ljknews (Apr 12)
- RE: Re: Application Insecurity --- Who is at Fault? ljknews (Apr 11)
- Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 11)