WebApp Sec mailing list archives
RE: ISA Server and SQL Injection
From: "Mark Curphey" <mark () curphey com>
Date: Wed, 23 Feb 2005 08:09:26 -0800
Paul Please see comments inline -----Original Message----- From: Paul Johnston [mailto:paul () westpoint ltd uk] Sent: Wednesday, February 23, 2005 7:52 AM To: Mark Curphey Cc: webappsec () securityfocus com Subject: Re: ISA Server and SQL Injection Mark, From your tone I get the impression you've had enough discussing this! I'll be as brief as possible :-) Curphey> No tone, just type fast ;-) I think what we're actually disagreeing about is the meaning of "firewall". You're considering the practical meaning, i.e. a TCP/IP filtering device. I'm considering the logical meaning, i.e. a device that filters an interface based on rules. I think that answers your concerns of this being "architecturally wrong". Curphey> Agree As for you saying "No I am saying build secure software", the essence of the meaning is the same as "just get the code right". The attitude behind both these statements is "we must get it right". What if, instead, the attitude was "we must account for the fact that sometimes we get it wrong"? If you take this onboard, many imperfect protections start to look more attractive. Curphey> Building secure software IMHO is not just about getting the code right. I think any good system should be designed to handle failure. That goes from structured exception and error handling through to compartmentalizing and restraining components. The crux of it is that software IMHO has to protect itself. All the best, Curphey> And you ;-) Paul -- Paul Johnston, GSEC Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: paul () westpoint ltd uk web: www.westpoint.ltd.uk
Current thread:
- Re: storing SSNs, CCNs, password in the DB, (continued)
- Re: storing SSNs, CCNs, password in the DB Joseph Miller (Mar 01)
- Re: storing SSNs, CCNs, password in the DB Alvin Oga (Mar 01)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeff Williams (Feb 28)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Mar 01)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeff Williams (Mar 01)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Mar 01)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeff Williams (Mar 01)
- Re: ISA Server and SQL Injection Paul Johnston (Feb 23)
- RE: ISA Server and SQL Injection Mark Curphey (Feb 23)
- Re: ISA Server and SQL Injection Paul Johnston (Feb 23)
- RE: ISA Server and SQL Injection Mark Curphey (Feb 23)
- Re: ISA Server and SQL Injection Paul Johnston (Feb 28)
- Re: ISA Server and SQL Injection Stephen de Vries (Feb 28)
- Re: ISA Server and SQL Injection Jan P. Monsch (Mar 01)
- Re: ISA Server and SQL Injection christopher (Mar 03)
- Re: ISA Server and SQL Injection Jan P. Monsch (Mar 03)
- Re: ISA Server and SQL Injection Paul Johnston (Mar 03)
- Object Caching with IE 6 XP SP2 Don Tuer (Feb 28)
- Re: Copying files from one server to another. Michael Sztachanski (Feb 23)
- RE: Copying files from one server to another. dave kleiman (Feb 23)