RE: Hacme Bank

[Frank Knobbe <frank () knobbe us>]

On Tue, 2004-09-14 at 08:31, Don Tuer wrote:
>       I understand that the Hacme site is intentionally buggy my point
> was that it's quite surprising that Mark sees these very basic errors
> continuing to be made by web developers. Basic training in the .NET
> platform and some on line reading will emphasize to the developer not to
> make these mistakes.

You don't travel much, do you?

The fact that training and information is available does not mean that
it will automatically be absorbed. Just the fact that a lot of
developers are hard-pressed on meeting project deadlines doesn't usually
leave time for them to attend training, and if it does, it's limited in
time/scope. It typically takes an "external auditor" -- most of time
requested by clients or business partners, or required by other business
requirements -- to convince management to allow for more time and
education of the developers for security related things.

While overall the level of security awareness and competence is
increasing, I think we're still a long way off from the desired goal.

That raises the question, though, how we could measure that success.
Perhaps an index of XSS vulnerable web sites?

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part