[SC-L] Survey
Stephen Craig Evans
stephencraig.evans at gmail.com
Tue Aug 26 10:41:51 EDT 2008
Hi Jim,
" There are plenty of sites that are perfectly x/html valid that are
completely insecure."
Well, perhaps too many people have been listening to this drumbeat:
"In fact, a non-developer: such as someone in marketing who uses
Dreamweaver, could also do almost as much as a normal WAF by saving their
content as valid XHTML. This would buy the organization basic application
security functionality, which is what WAF also attempts to do."
http://www.tssci-security.com/archives/2008/06/27/week-of-war-on-wafs-day-5-final-thoughts/
I rest my case.
Stephen
On Mon, Aug 25, 2008 at 7:05 AM, Jim Manico <jim at manico.net> wrote:
> There are plenty of sites that are perfectly x/html valid that are
> completely insecure.
>
> There are plenty of sites that follow perfect w3c and other standards that
> are completely insecure.
>
> There are plenty of sites that are top-tier security vendors that, at least
> in the past, have been insecure.
>
> - Jim
>
> At 11:11 AM -0400 8/24/08, Paco Hope wrote:
>
>
>
> Clearly the survey's content is only of interest if the HTML validates.
>
>
> The publisher of the web page is not in the security business,
> they are in the publishing business. But how can I respect
> their publishing expertise if they fail a simple automatic
> test.
>
> And how can their target audience of security folk, who depend
> strongly on following standards respect the knowledge of a
> publisher who does not follow publishing standards.
>
>
>
> On Aug 24, 2008, at 9:47 AM, "ljknews" <ljknews at mac.com> <ljknews at mac.com> wrote:
>
>
>
> At 2:43 PM -0400 8/22/08, Gary McGraw wrote:
>
>
>
> BankInfoSecurity is running a survey on software security that some
> of you may be interested in participating in. Try it yourself here:
> http://www.bankinfosecurity.com/surveys.php?surveyID=1
>
> Hmmm. http://validator.w3.org says there are 973 errors on that page.
>
>
>
>
> --
> Jim Manico, Senior Application Security Engineerjim.manico at aspectsecurity.com | jim at manico.net
> (301) 604-4882 (work)
> (808) 652-3805 (cell)
>
> Aspect Security™
> Securing your applications at the sourcehttp://www.aspectsecurity.com
>
> ---------------------------------------------------------------
> Management, Developers, Security Professionals ...
> ... can only result in one thing. BETTER SECURITY.http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
> Sept 22nd-25th 2008
>
>
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc -
> http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20080826/168c4d3f/attachment.html
More information about the SC-L
mailing list