WebApp Sec mailing list archives
RE: Finally - Curphey award 2004 to SPI Dynamics
From: "Madsen, Villy" <Villy.Madsen () atcoitek com>
Date: Tue, 29 Jun 2004 09:20:33 -0600
Jan Thank YOU!!!!! It's amazing how a single word will change everything!!! As they say in the military for : I also feel that providing a standard tool that they can use to filter input is a bad thing. Read I also feel that providing a standard tool that they can use to filter input is NOT a bad thing. It would make things a lot easier if I had just said IS A GOOD THING!! Which it is!! Mads, is negating negatives to make a positive a Danish thing, or is it just a Villy thing ??? Villy -----Original Message----- From: Jan Hanekom [mailto:j_hanekom () hotmail com] Sent: Tuesday, June 29, 2004 8:38 AM To: Madsen, Villy Subject: RE: Finally - Curphey award 2004 to SPI Dynamics Hi Villy I'm following this thread, but have trouble making sense of your post... You say that providing a standard tool to developers to perform input filtering is a bad thing, but then go on to describe a system which you seem to say is good and is similar to SPI's solution to the problem. Could you please explain? Thanks Jannie -----Original Message----- From: Madsen, Villy [mailto:Villy.Madsen () atcoitek com] Sent: 29 June 2004 15:19 To: Mads Rasmussen; Mark Curphey Cc: webappsec () securityfocus com; Jeff Williams Subject: RE: Finally - Curphey award 2004 to SPI Dynamics While I do not advocate that Developers be allowed to get lazy about security, I also feel that providing a standard tool that they can use to filter input is a bad thing. Way back a couple of decades ago, I was involved in a Telco project to rewrite an application used by Long Distance Telephone operators to manage "Time and Charges" calls. The application was finally shut down in 2000. One of the "breakthroughs" that we pioneered was the heavy use of what was we called Table Driven IO. All data input or output from the system was defined by a set of mapping tables, that defined what the data could look like, how long it was, and where it was mapped to in the application data schema. The "mapping" applications were general purpose, checked for proper type - performing whatever data conversions where necessary, guarded against overflows etc etc. Sounds very similar to me. I thought it was a great idea then, and I still do... One application to vet (the mapping routine), and a bunch of tables to validate. Easier than validating all of the code snippets that are "accepting Input" from the external world.... Villy Villy Madsen ISP GSEC Information Security ATCO I-Tek Bus: (780) 420-5093 Cell: (780) 975-0110 Fax: (780) 420-3916 Mailto:Villy.Madsen () atcoitek com The information transmitted is intended only for the addressee and may contain confidential, proprietary and/or privileged material. Any unauthorized review, distribution or other use of or the taking of any action in reliance upon this information is prohibited. If you received this in error, please contact the sender and delete or destroy this message and any copies. -----Original Message----- From: Mads Rasmussen [mailto:mads () opencs com br] Sent: Tuesday, June 29, 2004 5:47 AM To: Mark Curphey Cc: webappsec () securityfocus com; Jeff Williams Subject: Re: Finally - Curphey award 2004 to SPI Dynamics Mark Curphey wrote:
Here I am, depressed at the prospect of filling in mountains of expense claims from weeks of traveling and approving mundane mails to webappsec about XSS after XSS and along comes a shining light. At last
an "application security" company that gets it ! Hats of to the folks at SPI and the Curphey Award for 2004 for leading the industry down the right path ! http://biz.yahoo.com/prnews/040628/clm006_1.html
Here is another link http://www.eweek.com/article2/0,1759,1617901,00.asp I don't know about you guys but I have a bad feeling about this. I am not sure this is the right path. The article quotes Caleb Sima, founder and chief technology officer of SPI Dynamics saying "It doesn't require developers to learn about security," - "You really just need to validate input to eliminate most application vulnerabilities." Shouldn't you at least have a feeling for where the developers makes their mistakes to be able to insert the right piece of secure code? By all means it looks like a cool product, but how much can we trust it? One of its features is, qoute "Input Validation objects will check incoming data on web forms to validate user-supplied input against a set of rules and prevent parameter manipulation exploits, such as SQL Injection attacks." Can we trust these "set of rules". If they opened their technology, the OWASP team could contribute rules to such a database and then we just might get somewhere by having a list of f.ex regular expressions for using the validator classes in .Net or input validation in general but that would probably not happen. I am concerned that products like this just leads to lazy developers. Jeff what do you think about this? You wanted to start an input validation project based on filters, a database like described above would be quite handy :o) Just my two bits -- Mads Rasmussen, M.Sc. Open Communications Security www.opencs.com.br +55 11 3345 2525
Current thread:
- RE: Finally - Curphey award 2004 to SPI Dynamics, (continued)
- RE: Finally - Curphey award 2004 to SPI Dynamics Stan Guzik (Jun 29)
- Re: Finally - Curphey award 2004 to SPI Dynamics Daniel Cuthbert (Jun 29)
- RE: Finally - Curphey award 2004 to SPI Dynamics Thomas Ryan (Jun 29)
- Re: Finally - Curphey award 2004 to SPI Dynamics Daniel Cuthbert (Jun 29)
- RE: Finally - Curphey award 2004 to SPI Dynamics Madsen, Villy (Jun 29)
- The Right Approach to Web Developer Education Mark Curphey (Jun 29)
- RE: The Right Approach to Web Developer Education Yvan Boily (Jun 29)
- The Right Approach to Web Developer Education Mark Curphey (Jun 29)
- RE: Finally - Curphey award 2004 to SPI Dynamics PPowenski (Jun 29)
- Re: Finally - [Logical vs. Technical] was Curphey award 2004 to SPI Dynamics Jeremiah Grossman (Jun 29)
- RE: [Logical vs. Technical] was Curphey award 2004 to SPI Dynamics Arian J. Evans (Jun 30)
- Re: [Logical vs. Technical] was Curphey award 2004 to SPI Dynamics Jeremiah Grossman (Jun 30)
- Re: Finally - [Logical vs. Technical] was Curphey award 2004 to SPI Dynamics Jeremiah Grossman (Jun 29)
- RE: Finally - Curphey award 2004 to SPI Dynamics Stan Guzik (Jun 29)
- RE: Finally - Curphey award 2004 to SPI Dynamics Madsen, Villy (Jun 29)