WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [WEB SECURITY] Re: [SC-L] [WEB SECURITY] RE: I have not seen many people comment

From: James Landis <elspood () gmail com>
Date: Wed, 21 Apr 2010 18:26:59 -0700
Jim,
I'm not really convinced that "focusing on controls" is the intent of
the OT10 2010 as you say. If that was the case, and using your own
example: XSS would have been folded into Injection along with SQLi,
because XSS is fundamentally just HTML Injection in most instances
(and in all cases, it's just another instance of context-dependent
encoding failure). I think there is a ton of value in a root-cause
driven approach to vulnerability/weakness enumeration - indeed it's
part of the approach I take toward developer education these days. I
just don't think that could have been a fundamental principle behind
this latest version if this is what we ended up with.

I have to run out of here, but I'm going to grab a cub on the way out:

What exactly is the value of a "generic" risk rating? Aren't you doing
more harm than good by trying to supply risk assessment and
remediation recommendations in a document consumed by an audience who
needs Wichers' disclaimer to know that they have to do more to solve
the software security problem that check off the top 10 with their
bottom-dollar QSA or default WAF install?

-j

On Wed, Apr 21, 2010 at 5:05 PM, Jim Manico <jim.manico () owasp org> wrote:

I'm sorry for getting to my point like this Robert - but the OWASP Top Ten
does indeed address remediation with reasonable detail. This is significant
power when trying to communicate web application risks to web developers. We
can inform developers of risks in a much more cost effective way by focusing
on controls. Developers do not need to know about the 10 different kinds of
injection attacks - they need to know about the control (contextual encoding
anytime user data reaches an interpreter of any kind).

More on topic, the risk rating in OT10 is "generic" and of course you should
consider whether your individual business impact factors (
http://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology#Business_Impact_Factors
) trump T10's generic rating. A significant change in your business specific
impact factor will trump technical impact and change the final risk rating.

Also, please be mindful of the eloquent warning that Dave Wichers added to
the top of this document, which I have pasted below.

Robert - you are a "stand up guy" and I apologize for my snippy and
off-topic response. I owe you a (case of good) beer or other beverage of
choice. Let me know where to send it. I'm serious - just don't share with
Arian. ;)

- Jim

OWASP TOP TEN WAARNINGS

Don’t stop at 10. There are hundreds of issues that could
affect the overall security of a web application as discussed in
the OWASP Developer’s Guide. This is essential reading for
anyone developing web applications today. Guidance on how
to effectively find vulnerabilities in web applications are
provided in the OWASP Testing Guide and OWASP Code
Review Guide, which have both been significantly updated
since the previous release of the OWASP Top 10.

Constant change. This Top 10 will continue to change. Even
without changing a single line of your application’s code, you
may already be vulnerable to something nobody ever
thought of before. Please review the advice at the end of the
Top 10 in “What’s Next For Developers, Verifiers, and
Organizations” for more information.

Think positive. When you’re ready to stop chasing
vulnerabilities and focus on establishing strong application
security controls, OWASP has just produced the Application
Security Verification Standard (ASVS) as a guide to
organizations and application reviewers on what to verify.
Use tools wisely. Security vulnerabilities can be quite
complex and buried in mountains of code. In virtually all
cases, the most cost-effective approach for finding and
eliminating these weaknesses is human experts armed with
good tools.

Push left. Secure web applications are only possible when a
secure software development lifecycle is used. For guidance
on how to implement a secure SDLC, we recently released
the Open Software Assurance Maturity Model (SAMM),
which is a major update to the OWASP CLASP Project.

Jim,

The WASC Threat Classification v2 is a classification of attacks and
weaknesses, not remediation's. This is
stated in our definition.

"The Threat Classification is an effort to classify the weaknesses, and
attacks that can lead to the
compromise of a website, its data, or its users."

I believe this thread was about constructive conversation on the owasp top
ten, and the impact of using it in
the real world, not about the WASC TCv2. However if you have specific
suggestions please send them directly to
me, or via the instructions within that document, we will listen to and
evaluate *all* feedback once we kickoff
the next update phase.

Regards,
- Robert A.
http://www.webappsec.org/
http://www.cgisecurity.com/
http://www.qasec.com/




My problem with WASC T2 is that it does not discuss remediation. Is this
coming soon?

- Jim



Hello Matt,

My only real concern is that the owasp top ten is now based on 'Risks' and
has removed information/data disclosure/leakage.
Speaking as someone who has worked in a risk management team, I see the
leakage of customer/sensitive data as one of the most
serious "Risks" that exist for a company, and it is something that is
happening more and more. I brought this to the attention
of the Top Ten List back in November (see #5)
https://lists.owasp.org/pipermail/owasp-topten/2009-November/000487.html and
it
wasn't really addressed.

If the top ten was based on attacks and weaknesses (or just vulnerabilities)
rather than 'risks' then I could see the argument
for removal. Other than that, it is nice to see this document
maturing/improving.

Regarding your comment on open redirects I've seen these many times in the
real worldand they ARE being used by individuals
to phish users. CSRF was used by the samy worm (not what I'd call a well
organized motivated attacker as much as a Poc) in
combination with xss so I'd say it is used by both audiences (the abuse case
is really application/functionality specific).


Regards,
- Robert A.
http://www.webappsec.org/
http://www.cgisecurity.com/
http://www.qasec.com/





------=_NextPart_000_02D7_01CAE13B.A677CE70
Content-Type: multipart/alternative;
      boundary="----=_NextPart_001_02D8_01CAE13B.A677CE70"


------=_NextPart_001_02D8_01CAE13B.A677CE70
Content-Type: text/plain;
      charset="us-ascii"
Content-Transfer-Encoding: 7bit

I have not seen many people comment on the new OWASP top Ten. What does
every one think. I blogged about it from my perspective.  I am interested in
hearing about other people's experience with it.



http://parsonsisconsulting.blogspot.com/2010/04/parsons-response-to-owasp-to
p-10-in.html





Matt Parsons, MSM, CISSP

315-559-3588 Blackberry

817-294-3789 Home office

"Do Good and Fear No Man"

Fort Worth, Texas

A.K.A The Keyboard Cowboy

  <mailto:mparsons1980 () gmail com>  mailto:mparsons1980 () gmail com

  <http://www.parsonsisconsulting.com>  http://www.parsonsisconsulting.com

  <http://www.o2-ounceopen.com/o2-power-users/>
http://www.o2-ounceopen.com/o2-power-users/

  <http://www.linkedin.com/in/parsonsconsulting>
http://www.linkedin.com/in/parsonsconsulting

  <http://parsonsisconsulting.blogspot.com/>
http://parsonsisconsulting.blogspot.com/

  <http://www.vimeo.com/8939668>  http://www.vimeo.com/8939668

  <http://twitter.com/parsonsmatt>  http://twitter.com/parsonsmatt





0_0_0_0_250_281_csupload_6117291



untitled
















------=_NextPart_001_02D8_01CAE13B.A677CE70
Content-Type: text/html;
      charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml"; =
xmlns=3D"http://www.w3.org/TR/REC-html40";>

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
  /* Font Definitions */
  @font-face
      {font-family:Calibri;
      panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
      {font-family:Tahoma;
      panose-1:2 11 6 4 3 5 4 4 2 4;}
  /* Style Definitions */
  p.MsoNormal, li.MsoNormal, div.MsoNormal
      {margin:0in;
      margin-bottom:.0001pt;
      font-size:11.0pt;
      font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
      {mso-style-priority:99;
      color:blue;
      text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
      {mso-style-priority:99;
      color:purple;
      text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
      {mso-style-priority:99;
      mso-style-link:"Balloon Text Char";
      margin:0in;
      margin-bottom:.0001pt;
      font-size:8.0pt;
      font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
      {mso-style-name:"Balloon Text Char";
      mso-style-priority:99;
      mso-style-link:"Balloon Text";
      font-family:"Tahoma","sans-serif";}
span.EmailStyle19
      {mso-style-type:personal;
      font-family:"Calibri","sans-serif";
      color:windowtext;}
span.EmailStyle20
      {mso-style-type:personal-reply;
      font-family:"Calibri","sans-serif";
      color:#1F497D;}
.MsoChpDefault
      {mso-style-type:export-only;
      font-size:10.0pt;}
@page Section1
      {size:8.5in 11.0in;
      margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
      {page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
  <o:shapedefaults v:ext=3D"edit" spidmax=3D"3074" />
</xml><![endif]--><!--[if gte mso 9]><xml>
  <o:shapelayout v:ext=3D"edit">
   <o:idmap v:ext=3D"edit" data=3D"1" />
  </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><span style=3D'color:#1F497D'>I have not seen many =
people
comment on the new OWASP top Ten. What does every one think. I blogged =
about it
from my perspective.&nbsp; I am interested in hearing about other =
people&#8217;s
experience with it.&nbsp;&nbsp;<o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal><span style=3D'color:#1F497D'><a
href=3D"http://parsonsisconsulting.blogspot.com/2010/04/parsons-response-=
to-owasp-top-10-in.html">http://parsonsisconsulting.blogspot.com/2010/04/=
parsons-response-to-owasp-top-10-in.html</a><o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<div>

<p class=3DMsoNormal><span style=3D'color:#1F497D'>Matt Parsons, MSM, =
CISSP<o:p></o:p></span></p>

<p class=3DMsoNormal><span style=3D'color:#1F497D'>315-559-3588 =
Blackberry<o:p></o:p></span></p>

<p class=3DMsoNormal><span style=3D'color:#1F497D'>817-294-3789 Home =
office<o:p></o:p></span></p>

<p class=3DMsoNormal><span style=3D'color:#1F497D'>&quot;Do Good and =
Fear No
Man&quot;&nbsp;<o:p></o:p></span></p>

<p class=3DMsoNormal><span style=3D'color:#1F497D'>Fort Worth, =
Texas<o:p></o:p></span></p>

<p class=3DMsoNormal><span style=3D'color:#1F497D'>A.K.A The Keyboard =
Cowboy<o:p></o:p></span></p>

<p class=3DMsoNormal><span style=3D'color:#1F497D'><a
href=3D"mailto:mparsons1980 () gmail com"><span =
style=3D'color:blue'>mailto:mparsons1980 () gmail com</span></a><o:p></o:p><=
/span></p>

<p class=3DMsoNormal><span style=3D'color:#1F497D'><a
href=3D"http://www.parsonsisconsulting.com";><span =
style=3D'color:blue'>http://www.parsonsisconsulting.com</span></a><o:p></=
o:p></span></p>

<p class=3DMsoNormal><span style=3D'color:#1F497D'><a
href=3D"http://www.o2-ounceopen.com/o2-power-users/";><span =
style=3D'color:blue'>http://www.o2-ounceopen.com/o2-power-users/</span></=
a><o:p></o:p></span></p>

<p class=3DMsoNormal><span style=3D'color:#1F497D'><a
href=3D"http://www.linkedin.com/in/parsonsconsulting";><span =
style=3D'color:blue'>http://www.linkedin.com/in/parsonsconsulting</span><=
/a><o:p></o:p></span></p>

<p class=3DMsoNormal><span style=3D'color:#1F497D'><a
href=3D"http://parsonsisconsulting.blogspot.com/";><span =
style=3D'color:blue'>http://parsonsisconsulting.blogspot.com/</span></a><=
o:p></o:p></span></p>

<p class=3DMsoNormal><span style=3D'color:#1F497D'><a
href=3D"http://www.vimeo.com/8939668";><span =
style=3D'color:blue'>http://www.vimeo.com/8939668</span></a><o:p></o:p></=
span></p>

<p class=3DMsoNormal><span style=3D'color:#1F497D'><a
href=3D"http://twitter.com/parsonsmatt";><span =
style=3D'color:blue'>http://twitter.com/parsonsmatt</span></a><o:p></o:p>=
</span></p>

<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal><span style=3D'color:#1F497D'><img border=3D0 =
width=3D80
height=3D90 id=3D"Picture_x0020_1" =
src=3D"cid:image001.jpg@01CAE13B.A4FF1120"
alt=3D"0_0_0_0_250_281_csupload_6117291"><o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal><span style=3D'color:#1F497D'><img border=3D0 =
width=3D75
height=3D75 id=3D"Picture_x0020_2" =
src=3D"cid:image002.jpg@01CAE13B.A4FF1120"
alt=3Duntitled><o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'color:#1F497D'>&nbsp;<o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'color:#1F497D'>&nbsp;<o:p></o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=3DMsoNormal><span =
style=3D'color:#1F497D'>&nbsp;</span><o:p></o:p></p>

</div>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

</div>

</body>

</html>

------=_NextPart_001_02D8_01CAE13B.A677CE70--

------=_NextPart_000_02D7_01CAE13B.A677CE70
Content-Type: image/jpeg;
      name="image001.jpg"
Content-Transfer-Encoding: base64
Content-ID:<image001.jpg@01CAE13B.A4FF1120>

/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAoHBwgHBgoICAgLCgoLDhgQDg0NDh0VFhEYIx8lJCIf
IiEmKzcvJik0KSEiMEExNDk7Pj4+JS5ESUM8SDc9Pjv/2wBDAQoLCw4NDhwQEBw7KCIoOzs7Ozs7
Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozv/wAARCABaAFADASIA
AhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQA
AAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3
ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWm
p6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEA
AwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSEx
BhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElK
U1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3
uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwCbHNOA
oxzTsADmsyhKrTalaW7FZJwGHUDJNV9Xv/s0XlRk+Y4/IVzixSStwckmkM6lNZsHOPtAH+8CKuxy
LKoZGDKe6nNcqmjXEi7ghp6W9/prFo98Y745B+ooK5WdVg0FTWfp2sx3REMibZsdjw1aWT/c/Wgk
jINJg5qQlv7n6035s/c/WmITbzSleKeF5pLj5YJGHUKTQM5a4zfajIRkrnH4VsWFhHb4bZuz+YrL
00fvGcjpzXQWzS4D/u0HbzD1qJM3pxW5dQArgrj8KgubcMhyuRVy3uFZcTFM+q1WvbjzD8sywxAY
LEVFzosjlNQtnspxcQjBVg1dRbt59vHKOjqG/Osq/tme2fbJ5yEfe9K0dBQnRrbP90/zNaJnJUjZ
ljZTSlWtlN2DNMyIlXmm3AUQPuOF2nNSqOaSWPzI2Q/xKRTYzn7GFbe6eP72CMVspaJK2+RA5689
qzrcrJNCwxuA2t65FdDbrsjyw7VkztgkUGgZrtYwcZ5yaSK2LtJGyCRe6noanOyWctJgAHgZ5pYi
sE+YyGQ/w56UjWyKksAijcBdoPUVb0uMJpsC+i/1p98A0RIGKktEKWkSnqFFVE5a9h5FMIqU0w1Z
zECDmn4/eD6U1B8wqUD96v0NMDD1C3Sx1OKdMhZidw7Zret5VkgPfI4qnrdoLjTJD0aIb1P0rP0y
+bYIZDhsZU+oqJI6KUjXtrZ4nZoZNgJycgGi5gkdlZ5NwUggBcU63mUnDvt9qS8mjVflck+lSdN1
YZeOHCRjq3H51cxgYHQVgNdn7QknJSJtzY71vQyx3ECTRMGjkXcpHcVcVocdV3YhphqRhTDwaZkQ
oPnH1qSR1jkVnYKu05JOAOlcVf8Aj2NMrp8BLZ+/L0/KuYvtbvtTkzc3Lyei5wB9BVpE3O917xZZ
W9tJa2ji4mdSu5furn37motISO/sIwDhgBtPevOjKS3XgV1/hC8DRSQs3KnIrWFNS0D2jhqdUguI
fklTfjvikdJ7o+XGu0HqavwX8RULcgDA/wBYen40XN6m3y7crt7uO/0qFQnzctjd1ocvNcx9R8qw
s3GQRGpJNcdo/jK+0hjHhZ7YsT5Tn7ufQ9q1vFt6Y9O2Kcea+0e4HWuCkyGz61tUpqFoo5lUdR8z
PT7T4gaTcYFxHNbE9yNy/mK3LXUbK/UNaXUUw9EbJ/LrXie4g0+K4kikDRuysDwVODWPKVcYXO4/
WhXZScClwM9BTgBnoKsQgbJrd8MzbNSWMniUbfx7ViqB6CtLSABqduR/z1X+dXTdpImSujuxMy3s
EdwSkbD5GycE9wcdP1rTuxifyxGEXaPu9CfWpLKON9XgDIrDzV6j/aWk2jfc8Di5cfhgVte1exjv
TOC8azA30MAPEceSPcn/AOsK5ZuRiuh8WDOu3Gf9n/0EVhlRtPArOrrNmsPhK5yfwoA5FSEDI4FO
2jI4HWsij//Z

------=_NextPart_000_02D7_01CAE13B.A677CE70
Content-Type: image/jpeg;
      name="image002.jpg"
Content-Transfer-Encoding: base64
Content-ID:<image002.jpg@01CAE13B.A4FF1120>

/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAoHBwgHBgoICAgLCgoLDhgQDg0NDh0VFhEYIx8lJCIf
IiEmKzcvJik0KSEiMEExNDk7Pj4+JS5ESUM8SDc9Pjv/2wBDAQoLCw4NDhwQEBw7KCIoOzs7Ozs7
Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozv/wAARCABLAEsDASIA
AhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQA
AAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3
ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWm
p6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEA
AwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSEx
BhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElK
U1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3
uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD2Wmlh
xzQ7ALknHua5tb+81rUkOn3DQxW8m2eJxtZCDzuGPmDDjHBHWgTLGoeIJI7pILKxlumDlH24yhUj
cMeu07h2NRNpGsXtlGtzf7JlkkyVyBgnCsNpHI6gdOa3khRJHkSNVZ8bmA5OOmakHFAWMBvCsbz3
jtdTbb2RXkA4wVbcMHt0pYtAvLSWy+zai/2e0ZiYnzmQMSSSc8nkYz7mt+igLHPJeajpMUa3yyXI
IyzjGQzNhIw3APqSa17HUIL+1jniPDrnaeo5wf1BqaWGOZCkiK6MMFWGQR9KyTocFtq41RLhoESL
bJGvAYDG0H0VRn5RxzQGqNqiqWm6pb6pbme3DhA5UF1xnB6j1FXaBmHr1zOTBaQIriV9siSRkpIp
6oWHCnHIzx71p2lrFawrFEG2gdWYsx9Mk8njjn0rH0d0utbv5VhvIHVyJPNfCSdlwn0HBroAMDFA
lrqcR428b3/hjVILS0tbeVJYPMJl3ZByR2PtXO/8Lb1n/oH2X/j/APjTfi1/yMVp/wBeg/8AQjXC
1RzTnJSsjvP+Ft6z/wBA+x/8f/xo/wCFt6z/ANA+x/8AH/8AGuDoosR7SXc71PizrDSop0+ywzAf
x+v1r1fAZee4r5uh/wBfH/vr/OvpIfdH0pNG9KTle5z99/xK9XtpYEuJTIPKjtoUVYkTqx6de/b0
rfDZAI5FUdYH/Esmb9+Qo3Fbdtrv/sg+9V9Ku3g0yCF7C5jMa7QknzMAOBk9+MUjTYreF3jcTGK8
urlcJzOQfLJBJTjuM810NQQSK0skaoy+WQCSuAxIzkHvU9A0eR/Fr/kYrP8A69B/6E1cLXefFdGk
8TWMaKWd7YKqjuS5wK5efS7C3nNo2qFrxGCMqwEx7s4Kh88455xjiqRyTV5My6K2rnw8lqI1e+xJ
NO0MR8k+VkPtO58/K3fHpTh4ft/tN5E15cgWUYMo+xHzMlwuAueQc5B9KZPKzGh/18f++v8AOvpI
fdH0r56vdOGmaj9ma5SSSOcIVCkEDgg89OvSvoVfuj6VLNqPUhvGVbOZnwFEbFs56Y9ufyrzyK7s
7ZPLbUbVzuJ3NDcOcEkjndyOeD6V6PKQEYnoBzxmq0MdrNCkkcUYRlBUGPBx24PSkbNEV7eyWjJi
JBF1eaRsKo9Pr0xV2KRZY1dCGVhkMO4qO6tYrmILJGr7TuTcMgN2qlZXUlu6213MWkKqWyAAjH+E
Y65PI9BQPqed/FVpU8TWEsSvuS2DKwXOCHOK5me/sp7hr06VcJdu/mNtmPlB85LBduefTOOa982o
4yyqfqKPLj/uL+VO5m6eu54Q2sQsl6Bp1wWvnJmQynyyC+7IXHDY4zmnS6/Itm9taW93F+4EKTNK
TIo3h+WAHAxgCvdfKj/55r+VHlR/881/Ki4vZvufOUaStcxsUkYmQEkgknmvo8fdH0pvlRf880/I
VWu75bb92pVpmH7uMnG49gT0GTxk0FQhyiXN8YnCRxeex4Ko43Ke2Qe1WwOOSKzdOtHeX7fdwxi5
Zdm4Lhtvbd6HtxWngelIsWql7Yx3UbcBJSpUSqBvUH0PardFAzIiS8sI4beJFlUFY0DE/dAyzE9u
egq9b3sMyylSVELFXLDABHXmrB6Gqt5FGLG4QKArI2QO+RzQIkS8t5NvlzRsGG4YYcj1pp1C1whW
ZG3527TnOBz0rEv7WCHU4Yo4wqGAx7R/dIfP8utO0ALd2sV3OqvP50h34xghdv8AICgLlt9Va5jj
+xoR58e+GRhkEg8qR247+9SW+n+cVnug+9trbC/Tvtb+8Ac49Kuw28NtFshjCLycD1qVeg+lAC0U
UUDP/9k=

------=_NextPart_000_02D7_01CAE13B.A677CE70--




_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________



--
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net





--
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: