WebApp Sec mailing list archives
RE: Secure Coding? Bah!
From: "Taco Fleur" <tacofleur () nella net au>
Date: Fri, 23 Jan 2004 14:25:00 +1000
I see now this is one of those not so user-friendly lists that puts the author of the post in the "to" of the email. So I'll resend the posts I send earlier.. You are so right, and I am so thankful I finally found someone who feels the same way ;-) This week I have been trying to get this point across to several mailing lists I am signed up with, but they all shy away as soon as the word security is mentioned. I even had to battle with some of them thinking it is ok that a cracker gets access to Joe Nothing Bloggs admin panel, because its an insignificant website, but what they forget is that it's an open door to their domain, their own website is hosted on the same machine, etc. etc. I too had to clean up code, well, I didn't get to clean it because it not a priority of the company, its like in the article - first make more money, and not caring about the security of the sensitive data of clients, in some cases Credit Card info.... Just today I had someone point out a XSS hole on my own website, I am fairly familiar with the holes on my website and will fix them in due time ;-)) but he posted the hole on a public place and everybody attacked him for it, but I applaud him for it, because 1. he contacted me first 2. if he does not post it in a public place nothing gets done about it.. Am I rambling on yet? Ok..... Taco Fleur Blog http://www.tacofleur.com/index/blog/ Methodology http://www.tacofleur.com/index/methodology/ 0421 851 786 Tell me and I will forget Show me and I will remember Teach me and I will learn
-----Original Message----- From: Adam Tuliper [mailto:amt () gecko-software com] Sent: Friday, 23 January 2004 1:52 PM To: mark () curphey com; webappsec () securityfocus com Subject: Re: Secure Coding? Bah! credentials or not.. he's right on almost every aspect. Almost every company I've done work at had pretty insecure code that I had to fix. I know of almost no peer developers who are security conscious, as well as I know no developers personally that were taught security as part of their training. It never ceases to amaze me how many developers know next to nothing about writing secure code. You tell them about a sql injection attack and they look at you like a dog who just heard a funny noise and turns its head sideways. Ironically the only people I know who seme to have any idea about security are the same ones who could hack your systems. Seems like this needs to be more two-way knowledge but most developers just don't care. On Thu, 22 Jan 2004 21:42:24 -0500 (EST) Mark Curphey <mark () curphey com> wrote:Does anyone know of any information about this authorscredentials tomake these claims ?http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss306_
art550,00.html --------------------------------------------------------------------- Web mail provided by NuNet, Inc. The Premier National provider. http://www.nni.com/
Current thread:
- Secure Coding? Bah! Mark Curphey (Jan 22)
- Re: Secure Coding? Bah! Adam Tuliper (Jan 22)
- RE: Secure Coding? Bah! Taco Fleur (Jan 22)
- RE: Secure Coding? Bah! Patrick Chavez (Jan 22)
- Re: Secure Coding? Bah! Juridian (Jan 23)
- Re: Secure Coding? Bah! Juridian (Jan 22)
- Re: Secure Coding? Bah! David Wall @ Yozons, Inc. (Jan 22)
- RE: Secure Coding? Bah! Taco Fleur (Jan 22)
- RE: Secure Coding? Bah! Tim Greer (Jan 23)
- RE: Secure Coding? Bah! Taco Fleur (Jan 23)
- RE: Secure Coding? Bah! Tim Greer (Jan 23)
- RE: Secure Coding? Bah! Taco Fleur (Jan 22)
- Re: Secure Coding? Bah! Adam Tuliper (Jan 22)