[WEB SECURITY] The lack of security enabled frameworks is why we're vulnerable

Jeff Robertson jeff.robertson at gmail.com
Fri Dec 22 13:13:02 EST 2006


On 12/22/06, Brian Eaton <eaton.lists at gmail.com> wrote:
>
> On 12/21/06, bugtraq at cgisecurity.net <bugtraq at cgisecurity.net> wrote:
> > "I always hear the argument 'people who write applications vulnerable to
> > buffer overflows, sql injection or cross site scripting shouldn't be
> writing code!'
> > and its a nice fantasy! New people are always learning to code, being
> put into
> > situations to develop things maybe they shouldn't be and this isn't
> going to ever
> > stop. The majority of skilled developers start out the same way and
> faulting them
> > for 'learning the ropes' is just plain stupid. We need to start hand
> holding what
> > developers are doing by preventing them (by default) from making common
> security
> > mistakes."
>
> Yeah, this is true.  I'd put a large share on the blame on some
> questionable architectural decisions as well.


All true. This is why the Security industry itself is powerless to really
improve the longterm security landscape.

Anyone who really wants turn today's top vulnerabilities into historical
novelties, needs to get through to the framework builders. Or become one.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20061222/bdffcefd/attachment.html>


More information about the websecurity mailing list