[WEB SECURITY] Great article outlining a core issue with many in the security community

Michal Zalewski lcamtuf at coredump.cx
Sun Feb 13 21:17:57 EST 2011


> I saw this posted via twitter and thought it was worth mentioning here. While the example specifies owasp

Oh, that OWASP thing still around?;-)

I don't quite understand the point of trying to pin the blame. Yes,
developers make mistakes. So do organizations that employ them. And
too often, so do armchair experts who criticize them without offering
any real solutions.

I mean, no matter how good your security skills are, if you think you
can write your own GMail or Facebook on a reasonable schedule, and not
introduce a healthy amount of XSS flaws, you're probably wrong.
Publishing a brand new XSS cheatsheet, a super-awesome security
testing tool, or a flaming hot secure development methodology is not
changing this appreciably.

But then, we wouldn't be here weren't it for the "silly" mistakes of
the developers who built the foundations of the modern, horribly
error-prone web. To which, they can respond that the security
community wasn't exactly there to offer useful insight. And perhaps
for the better, given that many of the "brilliant" ideas how to fix
XSS once and for all are hopelessly out of touch.

Rinse, repeat.

/mz




More information about the websecurity mailing list