RE: Secure Coding? Bah!

["Taco Fleur" <tacofleur () nella net au>]

I see now this is one of those not so user-friendly lists that puts the
author of the post in the "to" of the email.
So I'll resend the posts I send earlier..

You are so right, and I am so thankful I finally found someone who feels the
same way ;-)

This week I have been trying to get this point across to several mailing
lists I am signed up with, but they all shy away as soon as the word
security is mentioned.

I even had to battle with some of them thinking it is ok that a cracker gets
access to Joe Nothing Bloggs admin panel, because its an insignificant
website, but what they forget is that it's an open door to their domain,
their own website is hosted on the same machine, etc. etc.

I too had to clean up code, well, I didn't get to clean it because it not a
priority of the company, its like in the article - first make more money,
and not caring about the security of the sensitive data of clients, in some
cases Credit Card info....

Just today I had someone point out a XSS hole on my own website, I am fairly
familiar with the holes on my website and will fix them in due time ;-)) but
he posted the hole on a public place and everybody attacked him for it, but
I applaud him for it, because 1. he contacted me first 2. if he does not
post it in a public place nothing gets done about it.. Am I rambling on yet?
Ok.....

Taco Fleur
Blog http://www.tacofleur.com/index/blog/
Methodology http://www.tacofleur.com/index/methodology/
0421 851 786
Tell me and I will forget
Show me and I will remember
Teach me and I will learn 


> -----Original Message-----
> From: Adam Tuliper [mailto:amt () gecko-software com]
> Sent: Friday, 23 January 2004 1:52 PM
> To: mark () curphey com; webappsec () securityfocus com
> Subject: Re: Secure Coding? Bah!
>
>
> credentials or not.. he's right on almost every aspect.
>
> Almost every company I've done work at had pretty insecure code that I 
> had to fix. I know of almost no peer developers who are security 
> conscious, as well as I know no developers personally that were taught 
> security as part of their training.  It never ceases to amaze me how 
> many developers know next to nothing about writing secure code. You 
> tell them about a sql injection attack and they look at you like a dog
> who just heard a funny noise and turns its head sideways. 
> Ironically the only people I know who seme to have any idea 
> about security are the same ones who could hack your systems. 
> Seems like this needs to be more two-way knowledge but most 
> developers just don't care. On Thu, 22 Jan 2004 21:42:24 
> -0500 (EST)  Mark Curphey <mark () curphey com> wrote:
> > Does anyone know of any information about this authors
> credentials to
> > make these claims ?
> http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss306_
art550,00.html

---------------------------------------------------------------------
Web mail provided by NuNet, Inc. The Premier National provider.
http://www.nni.com/