[WEB SECURITY] The lack of security enabled frameworks is why we're vulnerable

Brian Eaton eaton.lists at gmail.com
Fri Dec 22 11:44:19 EST 2006


On 12/21/06, bugtraq at cgisecurity.net <bugtraq at cgisecurity.net> wrote:
> "I always hear the argument 'people who write applications vulnerable to
> buffer overflows, sql injection or cross site scripting shouldn't be writing code!'
> and its a nice fantasy! New people are always learning to code, being put into
> situations to develop things maybe they shouldn't be and this isn't going to ever
> stop. The majority of skilled developers start out the same way and faulting them
> for 'learning the ropes' is just plain stupid. We need to start hand holding what
> developers are doing by preventing them (by default) from making common security
> mistakes."

Yeah, this is true.  I'd put a large share on the blame on some
questionable architectural decisions as well.

Consider: the WWW is designed such that any application running in a
web browser can send arbitrary requests to any other application
running in the same web browser.  Accepting malicious input from
everywhere on the planet is not a recipe for security.

But that is how the web works.

Regards,
Brian

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list