WebApp Sec mailing list archives
Re: [WEB SECURITY] Re: [SC-L] [WEB SECURITY] RE: I have not seen many people comment
From: James Landis <elspood () gmail com>
Date: Wed, 21 Apr 2010 18:26:59 -0700
Jim, I'm not really convinced that "focusing on controls" is the intent of the OT10 2010 as you say. If that was the case, and using your own example: XSS would have been folded into Injection along with SQLi, because XSS is fundamentally just HTML Injection in most instances (and in all cases, it's just another instance of context-dependent encoding failure). I think there is a ton of value in a root-cause driven approach to vulnerability/weakness enumeration - indeed it's part of the approach I take toward developer education these days. I just don't think that could have been a fundamental principle behind this latest version if this is what we ended up with. I have to run out of here, but I'm going to grab a cub on the way out: What exactly is the value of a "generic" risk rating? Aren't you doing more harm than good by trying to supply risk assessment and remediation recommendations in a document consumed by an audience who needs Wichers' disclaimer to know that they have to do more to solve the software security problem that check off the top 10 with their bottom-dollar QSA or default WAF install? -j On Wed, Apr 21, 2010 at 5:05 PM, Jim Manico <jim.manico () owasp org> wrote:
I'm sorry for getting to my point like this Robert - but the OWASP Top Ten does indeed address remediation with reasonable detail. This is significant power when trying to communicate web application risks to web developers. We can inform developers of risks in a much more cost effective way by focusing on controls. Developers do not need to know about the 10 different kinds of injection attacks - they need to know about the control (contextual encoding anytime user data reaches an interpreter of any kind). More on topic, the risk rating in OT10 is "generic" and of course you should consider whether your individual business impact factors ( http://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology#Business_Impact_Factors ) trump T10's generic rating. A significant change in your business specific impact factor will trump technical impact and change the final risk rating. Also, please be mindful of the eloquent warning that Dave Wichers added to the top of this document, which I have pasted below. Robert - you are a "stand up guy" and I apologize for my snippy and off-topic response. I owe you a (case of good) beer or other beverage of choice. Let me know where to send it. I'm serious - just don't share with Arian. ;) - Jim OWASP TOP TEN WAARNINGS Don’t stop at 10. There are hundreds of issues that could affect the overall security of a web application as discussed in the OWASP Developer’s Guide. This is essential reading for anyone developing web applications today. Guidance on how to effectively find vulnerabilities in web applications are provided in the OWASP Testing Guide and OWASP Code Review Guide, which have both been significantly updated since the previous release of the OWASP Top 10. Constant change. This Top 10 will continue to change. Even without changing a single line of your application’s code, you may already be vulnerable to something nobody ever thought of before. Please review the advice at the end of the Top 10 in “What’s Next For Developers, Verifiers, and Organizations” for more information. Think positive. When you’re ready to stop chasing vulnerabilities and focus on establishing strong application security controls, OWASP has just produced the Application Security Verification Standard (ASVS) as a guide to organizations and application reviewers on what to verify. Use tools wisely. Security vulnerabilities can be quite complex and buried in mountains of code. In virtually all cases, the most cost-effective approach for finding and eliminating these weaknesses is human experts armed with good tools. Push left. Secure web applications are only possible when a secure software development lifecycle is used. For guidance on how to implement a secure SDLC, we recently released the Open Software Assurance Maturity Model (SAMM), which is a major update to the OWASP CLASP Project. Jim, The WASC Threat Classification v2 is a classification of attacks and weaknesses, not remediation's. This is stated in our definition. "The Threat Classification is an effort to classify the weaknesses, and attacks that can lead to the compromise of a website, its data, or its users." I believe this thread was about constructive conversation on the owasp top ten, and the impact of using it in the real world, not about the WASC TCv2. However if you have specific suggestions please send them directly to me, or via the instructions within that document, we will listen to and evaluate *all* feedback once we kickoff the next update phase. Regards, - Robert A. http://www.webappsec.org/ http://www.cgisecurity.com/ http://www.qasec.com/ My problem with WASC T2 is that it does not discuss remediation. Is this coming soon? - Jim Hello Matt, My only real concern is that the owasp top ten is now based on 'Risks' and has removed information/data disclosure/leakage. Speaking as someone who has worked in a risk management team, I see the leakage of customer/sensitive data as one of the most serious "Risks" that exist for a company, and it is something that is happening more and more. I brought this to the attention of the Top Ten List back in November (see #5) https://lists.owasp.org/pipermail/owasp-topten/2009-November/000487.html and it wasn't really addressed. If the top ten was based on attacks and weaknesses (or just vulnerabilities) rather than 'risks' then I could see the argument for removal. Other than that, it is nice to see this document maturing/improving. Regarding your comment on open redirects I've seen these many times in the real worldand they ARE being used by individuals to phish users. CSRF was used by the samy worm (not what I'd call a well organized motivated attacker as much as a Poc) in combination with xss so I'd say it is used by both audiences (the abuse case is really application/functionality specific). Regards, - Robert A. http://www.webappsec.org/ http://www.cgisecurity.com/ http://www.qasec.com/ ------=_NextPart_000_02D7_01CAE13B.A677CE70 Content-Type: multipart/alternative; boundary="----=_NextPart_001_02D8_01CAE13B.A677CE70" ------=_NextPart_001_02D8_01CAE13B.A677CE70 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit I have not seen many people comment on the new OWASP top Ten. What does every one think. I blogged about it from my perspective. I am interested in hearing about other people's experience with it. http://parsonsisconsulting.blogspot.com/2010/04/parsons-response-to-owasp-to p-10-in.html Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office "Do Good and Fear No Man" Fort Worth, Texas A.K.A The Keyboard Cowboy <mailto:mparsons1980 () gmail com> mailto:mparsons1980 () gmail com <http://www.parsonsisconsulting.com> http://www.parsonsisconsulting.com <http://www.o2-ounceopen.com/o2-power-users/> http://www.o2-ounceopen.com/o2-power-users/ <http://www.linkedin.com/in/parsonsconsulting> http://www.linkedin.com/in/parsonsconsulting <http://parsonsisconsulting.blogspot.com/> http://parsonsisconsulting.blogspot.com/ <http://www.vimeo.com/8939668> http://www.vimeo.com/8939668 <http://twitter.com/parsonsmatt> http://twitter.com/parsonsmatt 0_0_0_0_250_281_csupload_6117291 untitled ------=_NextPart_001_02D8_01CAE13B.A677CE70 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html xmlns:v=3D"urn:schemas-microsoft-com:vml" = xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" = xmlns=3D"http://www.w3.org/TR/REC-html40"> <head> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)"> <!--[if !mso]> <style> v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} </style> <![endif]--> <style> <!-- /* Font Definitions */ @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:11.0pt; font-family:"Calibri","sans-serif";} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:purple; text-decoration:underline;} p.MsoAcetate, li.MsoAcetate, div.MsoAcetate {mso-style-priority:99; mso-style-link:"Balloon Text Char"; margin:0in; margin-bottom:.0001pt; font-size:8.0pt; font-family:"Tahoma","sans-serif";} span.BalloonTextChar {mso-style-name:"Balloon Text Char"; mso-style-priority:99; mso-style-link:"Balloon Text"; font-family:"Tahoma","sans-serif";} span.EmailStyle19 {mso-style-type:personal; font-family:"Calibri","sans-serif"; color:windowtext;} span.EmailStyle20 {mso-style-type:personal-reply; font-family:"Calibri","sans-serif"; color:#1F497D;} .MsoChpDefault {mso-style-type:export-only; font-size:10.0pt;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} div.Section1 {page:Section1;} --> </style> <!--[if gte mso 9]><xml> <o:shapedefaults v:ext=3D"edit" spidmax=3D"3074" /> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout v:ext=3D"edit"> <o:idmap v:ext=3D"edit" data=3D"1" /> </o:shapelayout></xml><![endif]--> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple> <div class=3DSection1> <p class=3DMsoNormal><span style=3D'color:#1F497D'>I have not seen many = people comment on the new OWASP top Ten. What does every one think. I blogged = about it from my perspective. I am interested in hearing about other = people’s experience with it. <o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'><o:p> </o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'><a href=3D"http://parsonsisconsulting.blogspot.com/2010/04/parsons-response-= to-owasp-top-10-in.html">http://parsonsisconsulting.blogspot.com/2010/04/= parsons-response-to-owasp-top-10-in.html</a><o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'><o:p> </o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'><o:p> </o:p></span></p> <div> <p class=3DMsoNormal><span style=3D'color:#1F497D'>Matt Parsons, MSM, = CISSP<o:p></o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'>315-559-3588 = Blackberry<o:p></o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'>817-294-3789 Home = office<o:p></o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'>"Do Good and = Fear No Man" <o:p></o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'>Fort Worth, = Texas<o:p></o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'>A.K.A The Keyboard = Cowboy<o:p></o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'><a href=3D"mailto:mparsons1980 () gmail com"><span = style=3D'color:blue'>mailto:mparsons1980 () gmail com</span></a><o:p></o:p><= /span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'><a href=3D"http://www.parsonsisconsulting.com"><span = style=3D'color:blue'>http://www.parsonsisconsulting.com</span></a><o:p></= o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'><a href=3D"http://www.o2-ounceopen.com/o2-power-users/"><span = style=3D'color:blue'>http://www.o2-ounceopen.com/o2-power-users/</span></= a><o:p></o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'><a href=3D"http://www.linkedin.com/in/parsonsconsulting"><span = style=3D'color:blue'>http://www.linkedin.com/in/parsonsconsulting</span><= /a><o:p></o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'><a href=3D"http://parsonsisconsulting.blogspot.com/"><span = style=3D'color:blue'>http://parsonsisconsulting.blogspot.com/</span></a><= o:p></o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'><a href=3D"http://www.vimeo.com/8939668"><span = style=3D'color:blue'>http://www.vimeo.com/8939668</span></a><o:p></o:p></= span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'><a href=3D"http://twitter.com/parsonsmatt"><span = style=3D'color:blue'>http://twitter.com/parsonsmatt</span></a><o:p></o:p>= </span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'><o:p> </o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'><o:p> </o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'><img border=3D0 = width=3D80 height=3D90 id=3D"Picture_x0020_1" = src=3D"cid:image001.jpg@01CAE13B.A4FF1120" alt=3D"0_0_0_0_250_281_csupload_6117291"><o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'><o:p> </o:p></span></p> <p class=3DMsoNormal><span style=3D'color:#1F497D'><img border=3D0 = width=3D75 height=3D75 id=3D"Picture_x0020_2" = src=3D"cid:image002.jpg@01CAE13B.A4FF1120" alt=3Duntitled><o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'><o:p> </o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'><o:p> </o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'> <o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'> <o:p></o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'><o:p> </o:p></span></p> <p class=3DMsoNormal><span = style=3D'color:#1F497D'> </span><o:p></o:p></p> </div> <p class=3DMsoNormal><o:p> </o:p></p> </div> </body> </html> ------=_NextPart_001_02D8_01CAE13B.A677CE70-- ------=_NextPart_000_02D7_01CAE13B.A677CE70 Content-Type: image/jpeg; name="image001.jpg" Content-Transfer-Encoding: base64 Content-ID:<image001.jpg@01CAE13B.A4FF1120> /9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAoHBwgHBgoICAgLCgoLDhgQDg0NDh0VFhEYIx8lJCIf IiEmKzcvJik0KSEiMEExNDk7Pj4+JS5ESUM8SDc9Pjv/2wBDAQoLCw4NDhwQEBw7KCIoOzs7Ozs7 Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozv/wAARCABaAFADASIA AhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQA AAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3 ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWm p6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEA AwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSEx BhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElK U1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3 uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwCbHNOA oxzTsADmsyhKrTalaW7FZJwGHUDJNV9Xv/s0XlRk+Y4/IVzixSStwckmkM6lNZsHOPtAH+8CKuxy LKoZGDKe6nNcqmjXEi7ghp6W9/prFo98Y745B+ooK5WdVg0FTWfp2sx3REMibZsdjw1aWT/c/Wgk jINJg5qQlv7n6035s/c/WmITbzSleKeF5pLj5YJGHUKTQM5a4zfajIRkrnH4VsWFhHb4bZuz+YrL 00fvGcjpzXQWzS4D/u0HbzD1qJM3pxW5dQArgrj8KgubcMhyuRVy3uFZcTFM+q1WvbjzD8sywxAY LEVFzosjlNQtnspxcQjBVg1dRbt59vHKOjqG/Osq/tme2fbJ5yEfe9K0dBQnRrbP90/zNaJnJUjZ ljZTSlWtlN2DNMyIlXmm3AUQPuOF2nNSqOaSWPzI2Q/xKRTYzn7GFbe6eP72CMVspaJK2+RA5689 qzrcrJNCwxuA2t65FdDbrsjyw7VkztgkUGgZrtYwcZ5yaSK2LtJGyCRe6noanOyWctJgAHgZ5pYi sE+YyGQ/w56UjWyKksAijcBdoPUVb0uMJpsC+i/1p98A0RIGKktEKWkSnqFFVE5a9h5FMIqU0w1Z zECDmn4/eD6U1B8wqUD96v0NMDD1C3Sx1OKdMhZidw7Zret5VkgPfI4qnrdoLjTJD0aIb1P0rP0y +bYIZDhsZU+oqJI6KUjXtrZ4nZoZNgJycgGi5gkdlZ5NwUggBcU63mUnDvt9qS8mjVflck+lSdN1 YZeOHCRjq3H51cxgYHQVgNdn7QknJSJtzY71vQyx3ECTRMGjkXcpHcVcVocdV3YhphqRhTDwaZkQ oPnH1qSR1jkVnYKu05JOAOlcVf8Aj2NMrp8BLZ+/L0/KuYvtbvtTkzc3Lyei5wB9BVpE3O917xZZ W9tJa2ji4mdSu5furn37motISO/sIwDhgBtPevOjKS3XgV1/hC8DRSQs3KnIrWFNS0D2jhqdUguI fklTfjvikdJ7o+XGu0HqavwX8RULcgDA/wBYen40XN6m3y7crt7uO/0qFQnzctjd1ocvNcx9R8qw s3GQRGpJNcdo/jK+0hjHhZ7YsT5Tn7ufQ9q1vFt6Y9O2Kcea+0e4HWuCkyGz61tUpqFoo5lUdR8z PT7T4gaTcYFxHNbE9yNy/mK3LXUbK/UNaXUUw9EbJ/LrXie4g0+K4kikDRuysDwVODWPKVcYXO4/ WhXZScClwM9BTgBnoKsQgbJrd8MzbNSWMniUbfx7ViqB6CtLSABqduR/z1X+dXTdpImSujuxMy3s EdwSkbD5GycE9wcdP1rTuxifyxGEXaPu9CfWpLKON9XgDIrDzV6j/aWk2jfc8Di5cfhgVte1exjv TOC8azA30MAPEceSPcn/AOsK5ZuRiuh8WDOu3Gf9n/0EVhlRtPArOrrNmsPhK5yfwoA5FSEDI4FO 2jI4HWsij//Z ------=_NextPart_000_02D7_01CAE13B.A677CE70 Content-Type: image/jpeg; name="image002.jpg" Content-Transfer-Encoding: base64 Content-ID:<image002.jpg@01CAE13B.A4FF1120> /9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAoHBwgHBgoICAgLCgoLDhgQDg0NDh0VFhEYIx8lJCIf IiEmKzcvJik0KSEiMEExNDk7Pj4+JS5ESUM8SDc9Pjv/2wBDAQoLCw4NDhwQEBw7KCIoOzs7Ozs7 Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozv/wAARCABLAEsDASIA AhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQA AAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3 ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWm p6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEA AwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSEx BhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElK U1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3 uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD2Wmlh xzQ7ALknHua5tb+81rUkOn3DQxW8m2eJxtZCDzuGPmDDjHBHWgTLGoeIJI7pILKxlumDlH24yhUj cMeu07h2NRNpGsXtlGtzf7JlkkyVyBgnCsNpHI6gdOa3khRJHkSNVZ8bmA5OOmakHFAWMBvCsbz3 jtdTbb2RXkA4wVbcMHt0pYtAvLSWy+zai/2e0ZiYnzmQMSSSc8nkYz7mt+igLHPJeajpMUa3yyXI IyzjGQzNhIw3APqSa17HUIL+1jniPDrnaeo5wf1BqaWGOZCkiK6MMFWGQR9KyTocFtq41RLhoESL bJGvAYDG0H0VRn5RxzQGqNqiqWm6pb6pbme3DhA5UF1xnB6j1FXaBmHr1zOTBaQIriV9siSRkpIp 6oWHCnHIzx71p2lrFawrFEG2gdWYsx9Mk8njjn0rH0d0utbv5VhvIHVyJPNfCSdlwn0HBroAMDFA lrqcR428b3/hjVILS0tbeVJYPMJl3ZByR2PtXO/8Lb1n/oH2X/j/APjTfi1/yMVp/wBeg/8AQjXC 1RzTnJSsjvP+Ft6z/wBA+x/8f/xo/wCFt6z/ANA+x/8AH/8AGuDoosR7SXc71PizrDSop0+ywzAf x+v1r1fAZee4r5uh/wBfH/vr/OvpIfdH0pNG9KTle5z99/xK9XtpYEuJTIPKjtoUVYkTqx6de/b0 rfDZAI5FUdYH/Esmb9+Qo3Fbdtrv/sg+9V9Ku3g0yCF7C5jMa7QknzMAOBk9+MUjTYreF3jcTGK8 urlcJzOQfLJBJTjuM810NQQSK0skaoy+WQCSuAxIzkHvU9A0eR/Fr/kYrP8A69B/6E1cLXefFdGk 8TWMaKWd7YKqjuS5wK5efS7C3nNo2qFrxGCMqwEx7s4Kh88455xjiqRyTV5My6K2rnw8lqI1e+xJ NO0MR8k+VkPtO58/K3fHpTh4ft/tN5E15cgWUYMo+xHzMlwuAueQc5B9KZPKzGh/18f++v8AOvpI fdH0r56vdOGmaj9ma5SSSOcIVCkEDgg89OvSvoVfuj6VLNqPUhvGVbOZnwFEbFs56Y9ufyrzyK7s 7ZPLbUbVzuJ3NDcOcEkjndyOeD6V6PKQEYnoBzxmq0MdrNCkkcUYRlBUGPBx24PSkbNEV7eyWjJi JBF1eaRsKo9Pr0xV2KRZY1dCGVhkMO4qO6tYrmILJGr7TuTcMgN2qlZXUlu6213MWkKqWyAAjH+E Y65PI9BQPqed/FVpU8TWEsSvuS2DKwXOCHOK5me/sp7hr06VcJdu/mNtmPlB85LBduefTOOa982o 4yyqfqKPLj/uL+VO5m6eu54Q2sQsl6Bp1wWvnJmQynyyC+7IXHDY4zmnS6/Itm9taW93F+4EKTNK TIo3h+WAHAxgCvdfKj/55r+VHlR/881/Ki4vZvufOUaStcxsUkYmQEkgknmvo8fdH0pvlRf880/I VWu75bb92pVpmH7uMnG49gT0GTxk0FQhyiXN8YnCRxeex4Ko43Ke2Qe1WwOOSKzdOtHeX7fdwxi5 Zdm4Lhtvbd6HtxWngelIsWql7Yx3UbcBJSpUSqBvUH0PardFAzIiS8sI4beJFlUFY0DE/dAyzE9u egq9b3sMyylSVELFXLDABHXmrB6Gqt5FGLG4QKArI2QO+RzQIkS8t5NvlzRsGG4YYcj1pp1C1whW ZG3527TnOBz0rEv7WCHU4Yo4wqGAx7R/dIfP8utO0ALd2sV3OqvP50h34xghdv8AICgLlt9Va5jj +xoR58e+GRhkEg8qR247+9SW+n+cVnug+9trbC/Tvtb+8Ac49Kuw28NtFshjCLycD1qVeg+lAC0U UUDP/9k= ------=_NextPart_000_02D7_01CAE13B.A677CE70-- _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________ -- Jim Manico OWASP Podcast Host/Producer OWASP ESAPI Project Manager http://www.manico.net -- Jim Manico OWASP Podcast Host/Producer OWASP ESAPI Project Manager http://www.manico.net
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Re: [WEB SECURITY] Re: [SC-L] [WEB SECURITY] RE: I have not seen many people comment James Landis (Apr 21)