[WEB SECURITY] Application Security Hacking Videos

Ivan Ristic ivan.ristic at gmail.com
Thu Jun 1 15:41:04 EDT 2006


On 6/1/06, Paul Schmehl <pauls at utdallas.edu> wrote:
>
> BTW, there are security companies that I will not even consider
> purchasing prodcuts from simply because they have had remote exploit
> vulnerabilities in their code.  I can assure you I'm not alone.  As more
> of us practitioners begin to cull the poorly programmed applications
> from our purchase mix, we will weed out the bad programmers ourselves.

I think it's more important to observe how companies deal with such
issues. Security problems are a fact of life mostly due to the fact
that there isn't a way to write code that is 100% guaranteed not to
have any faults.


> Yes, we need much better training.  Yes, we need much better awareness
> of the complexities of attack vectors.  But until programmers and
> leadership in software companies take the bull by the horns and start
> addressing the problem, we will continue to see point solutions that
> hide the ugly warts.

For one reason or another I don't think we can ever expect the average
programmer to understand all the security issues. That's why, IMHO, it
is essential to move to (and design) programming languages and
platforms that are not vulnerable to buffer overflows and, in general,
make it very difficult or impossible to write insecure code.

The people in charge of major programming platforms need to take
responsibility and make the (programming) world a more secure space. I
am not saying that would solve all our problems, but I think it would
solve most of the ones we are dealing with on daily basis.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

----------------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list