WebApp Sec mailing list archives

Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)

From: silky <michaelslists () gmail com>
Date: Wed, 16 Jul 2008 20:07:35 +1000

On Wed, Jul 16, 2008 at 8:02 PM, Martin O'Neal
<martin.oneal () corsaire com> wrote:

this is fairly stupid.


LOL; more stupid than vacuous name calling, or less?


I'd say it's on par with it :)

what financial institutions are
using floating point and not decimal
variables to represent their money?
very few i'd guess. it hardly needs
to be said that anyone using FP
variables to do financial maths
should be shot.


LOL2; unfortunately you have guessed wrong.  Do not pass go.  Do not
collect ukp200.  We see this kind of thing all the time in financial
applications.


Well then you see some terribly-written financial apps. The ones I
worked are not like this.

your last recommendation for c# is
wrong. == is fine for numbers. your
test above even proves it!


Er, obviously you have become confused due of the ambiguity of the bit
where it says "This type of caching does not exist in C# as can be seen
from the equivalent code example".


Yes I did; but it doesn't change the fact that your comments under
"Testing" in that section (page 16) are still not applicable to c#.
Nor is the "Recommendation" about ==. As I said.

Thanks for the constructive criticism though.


You're welcome. I hope your future releases are improved because of it :)

Martin...

-- 
silky
http://www.themonkeynet.com/
http://lets.coozi.com.au/

-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

Current thread:

Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications) Andy Steingruebl (Jul 15)
- RE: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications) Martin O'Neal (Jul 16)
- <Possible follow-ups>
- Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications) silky (Jul 15)
  - RE: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications) Martin O'Neal (Jul 16)
  - Message not available
    - Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications) silky (Jul 16)
    - RE: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications) Martin O'Neal (Jul 16)
- RE: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications) Martin O'Neal (Jul 16)