WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A Question of Quality

From: "Robert Hajime Lanning" <robert.lanning () gmail com>
Date: Sun, 2 Nov 2008 11:24:06 -0800
On Thu, Oct 30, 2008 at 4:55 PM, Yousef Syed <yousef.syed () gmail com> wrote:

Why isn't Quality Assumed?
Why isn't Security Assumed?
Why are these concepts thought of as add ons to Applications and Services?

Why do they need to be specified, when they should be taken for granted?
 - Input Validation
 - Boundary Conditions
 - Encrypt Data as necessary
 - Least Privilege Access
 - White lists are better than Black lists


I believe one of the issues is, pride of ownership in the end product.

A lot of the coding is now outsourced to cheap code houses.  These people
do not have ownership or attribution.  They have no reason to take any extra
steps, that are not specified in the contract.  If it is not in the
contract, they
are not being paid for it.

It's like a building contractor.  If it is not in the blue prints, it
does not go into
the finished building.  That is why a building spec is a thick book, that goes
all the way to specifying the exact screw to use.

-- 
And, did Galoka think the Ulus were too ugly to save?
                                         -Centauri

-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: