WebApp Sec mailing list archives
RE: Reviewing security parameters
From: "Pitts, Christopher C." <Christopher.Pitts () HaverstickConsulting com>
Date: Fri, 16 Apr 2004 14:02:37 -0500
Do you guys think this script is safe?
To throw my hat in the ring. I think you really want to ask multiple questions rather than the blanket question you have asked. You'll get a much better result if you realize the different pieces to securing your application. What you've given us is a partial design spec of your code. You asked is this script safe. While I can give you a *partial* answer of the *design* of the code based on what was presented, that won't really answer your question. The questions I would ponder are... Is the design free of obvious design flaws? Is the development environment reasonable secure from tampering? Is the implementation of the design free from syntactical and security flaws that would otherwise compromise a secure design? Is the deployment environment secure? my .02c. I get asked this question just about everytime I walk into an AppSec review for a client, and it takes a bit of work sometimes to get them to realize that asking the question is a bit like asking if their entire network is secure. Christopher -- Christopher C. Pitts Sr. Consultant, Application Security Haverstick Consulting, Inc Carmel, Indiana
Current thread:
- Reviewing security parameters Simon Lemieux (Apr 16)
- Re: Reviewing security parameters Ilya Sher (Apr 16)
- RE: Reviewing security parameters V. Poddubniy (Apr 16)
- Re: Reviewing security parameters Jared (Apr 16)
- Re: Reviewing security parameters Matt Summers (Apr 16)
- Re: Reviewing security parameters Jared (Apr 16)
- Re: Reviewing security parameters exon (Apr 16)
- Follow-up: Reviewing security parameters Simon Lemieux (Apr 17)
- Message not available
- Re: Follow-up: Reviewing security parameters Simon Lemieux (Apr 21)
- Message not available
- <Possible follow-ups>
- RE: Reviewing security parameters Pitts, Christopher C. (Apr 16)
- RE: Reviewing security parameters Scovetta, Michael V (Apr 16)
- RE: Reviewing security parameters Auri A. Rahimzadeh (Apr 16)