[WEB SECURITY] Great article outlining a core issue with many in the security community

Fonix Li Fonix.Li at webex.com
Sun Feb 13 21:54:59 EST 2011

I second MZ.
In most situations, the question is like: How secure I can make my application be, with given resource, schedule and feature requirements?


From: websecurity-bounces at lists.webappsec.org 代表 Michal Zalewski
Sent: 2011-2-13 (星期日) 18:17
To: robert at webappsec.org
Cc: websecurity at lists.webappsec.org
Subject: Re: [WEB SECURITY] Great article outlining a core issue with many in the security community

> I saw this posted via twitter and thought it was worth mentioning here. While the example specifies owasp

Oh, that OWASP thing still around?;-)

I don't quite understand the point of trying to pin the blame. Yes,
developers make mistakes. So do organizations that employ them. And
too often, so do armchair experts who criticize them without offering
any real solutions.

I mean, no matter how good your security skills are, if you think you
can write your own GMail or Facebook on a reasonable schedule, and not
introduce a healthy amount of XSS flaws, you're probably wrong.
Publishing a brand new XSS cheatsheet, a super-awesome security
testing tool, or a flaming hot secure development methodology is not
changing this appreciably.

But then, we wouldn't be here weren't it for the "silly" mistakes of
the developers who built the foundations of the modern, horribly
error-prone web. To which, they can respond that the security
community wasn't exactly there to offer useful insight. And perhaps
for the better, given that many of the "brilliant" ideas how to fix
XSS once and for all are hopelessly out of touch.

Rinse, repeat.


The Web Security Mailing List

WebSecurity RSS Feed

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter

websecurity at lists.webappsec.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110213/412aaeef/attachment-0003.html>

More information about the websecurity mailing list