WebApp Sec mailing list archives
Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)
From: silky <michaelslists () gmail com>
Date: Wed, 16 Jul 2008 20:07:35 +1000
On Wed, Jul 16, 2008 at 8:02 PM, Martin O'Neal <martin.oneal () corsaire com> wrote:
this is fairly stupid.LOL; more stupid than vacuous name calling, or less?
I'd say it's on par with it :)
what financial institutions are using floating point and not decimal variables to represent their money? very few i'd guess. it hardly needs to be said that anyone using FP variables to do financial maths should be shot.LOL2; unfortunately you have guessed wrong. Do not pass go. Do not collect ukp200. We see this kind of thing all the time in financial applications.
Well then you see some terribly-written financial apps. The ones I worked are not like this.
your last recommendation for c# is wrong. == is fine for numbers. your test above even proves it!Er, obviously you have become confused due of the ambiguity of the bit where it says "This type of caching does not exist in C# as can be seen from the equivalent code example".
Yes I did; but it doesn't change the fact that your comments under "Testing" in that section (page 16) are still not applicable to c#. Nor is the "Recommendation" about ==. As I said.
Thanks for the constructive criticism though.
You're welcome. I hope your future releases are improved because of it :)
Martin...
-- silky http://www.themonkeynet.com/ http://lets.coozi.com.au/ ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications) Andy Steingruebl (Jul 15)
- RE: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications) Martin O'Neal (Jul 16)
- <Possible follow-ups>
- Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications) silky (Jul 15)
- RE: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications) Martin O'Neal (Jul 16)
- Message not available
- Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications) silky (Jul 16)
- RE: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications) Martin O'Neal (Jul 16)
- RE: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications) Martin O'Neal (Jul 16)