Re: Re: Application Insecurity --- Who is at Fault?

[Michael Silk <michaelslists () gmail com>]

Joel

On Apr 12, 2005 12:45 AM, Joel Kamentz <[EMAIL PROTECTED]> wrote:
> Re: bridges and stuff.
>
> Let's use an example someone else already brought up -- cross site scripting.  How many people
> feel that, before it was ever known or had ever occurred the first time, good programming
> practices should have prevented any such vulnerability from ever happening?  I actually think
> that would have been possible for the extremely skilled and extremely paranoid.  However, we're
> asking people to protect against the unknown.

I would be of the opinion that good programming practices should have
prevented it. And it doesn't take a 'really skilled' programmer
either, it's really simple - you are writing your input into some
context; so make sure your input isn't allowed to escape into another
context. I.e. You are taking _text_ and displaying it as _text_. It
could take on the context of _html_. You don't want this, so you
escape the _html_ special characters so it always display as _text_.


> I don't have experience with the formal methods, but I can see that, supposing this were NASA,
> etc., formal approaches might lead to perfect protection.  However, all of that paranoia, formality
> or whatever takes a lot of time, effort and therefore huge economic impact.

I don't see that. If we are just talking about the 'programming' part
and not the 'desigining' part it's really pretty straight-forward to
do what is required.

> I guess my personal opinion is that unit testing, etc. are great shortcuts (compared to perfect)
> which help reduce flaws, but with lesser expense.

You would still use these things.

-- Michael