[WEB SECURITY] The lack of security enabled frameworks is why we're vulnerable
Brian Eaton
eaton.lists at gmail.com
Fri Dec 22 11:44:19 EST 2006
On 12/21/06, bugtraq at cgisecurity.net <bugtraq at cgisecurity.net> wrote:
> "I always hear the argument 'people who write applications vulnerable to
> buffer overflows, sql injection or cross site scripting shouldn't be writing code!'
> and its a nice fantasy! New people are always learning to code, being put into
> situations to develop things maybe they shouldn't be and this isn't going to ever
> stop. The majority of skilled developers start out the same way and faulting them
> for 'learning the ropes' is just plain stupid. We need to start hand holding what
> developers are doing by preventing them (by default) from making common security
> mistakes."
Yeah, this is true. I'd put a large share on the blame on some
questionable architectural decisions as well.
Consider: the WWW is designed such that any application running in a
web browser can send arbitrary requests to any other application
running in the same web browser. Accepting malicious input from
everywhere on the planet is not a recipe for security.
But that is how the web works.
Regards,
Brian
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list