JSON of Ajax -or- Little Web 2.0 bugs versus big Web 2.0 flaws: darkreading

[gem at cigital.com (Gary McGraw)]

Hi sc-l,

This month's installment of my darkreading.com column focuses some much needed attention on the bug/flaw distinction 
that I think we need to pay more attention to.

In particular, many of you will recall the discussion of Javascript hijacking that Brian Chess posted to this list in 
March.  I found that work an interesting generalization of the Gmail/JSON problem.  However, I think that instead of 
focusing so much attention on the particulars of Javascript transport we need to focus on ***trust boundaries***.

Read all about it here: http://www.darkreading.com/document.asp?doc_id=125931

Please crosspost responses here and to the darkreading website.  I am interested in your opinion of the current "bug 
parade" problem we have in software security.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com