[WEB SECURITY] Great article outlining a core issue with many in the security community

Andre Gironda andreg at gmail.com
Sun Feb 13 22:08:03 EST 2011


I think I have the 20 year answer.

But ya'll are not going to like it.

I've been seeing a lot of these "wtf are we going to do" moments recently.
See dailydave's recent posts.

We lost. We have to live with APT. Is Anonymous our friend or enemy? Are we
the enemy?

No, to you (the security community), your arch-nemesis is sitting in the
cube or coffee shop next to you. He's a developer, just like you. His
chain-of-command and yours are responsible for the cleanup of this mess and
sustainable results. Get them talking. Co-ordinate by co-operating.

Andre
 On Feb 13, 2011 7:43 PM, "Michal Zalewski" <lcamtuf at coredump.cx> wrote:
>> I saw this posted via twitter and thought it was worth mentioning here.
While the example specifies owasp
>
> Oh, that OWASP thing still around?;-)
>
> I don't quite understand the point of trying to pin the blame. Yes,
> developers make mistakes. So do organizations that employ them. And
> too often, so do armchair experts who criticize them without offering
> any real solutions.
>
> I mean, no matter how good your security skills are, if you think you
> can write your own GMail or Facebook on a reasonable schedule, and not
> introduce a healthy amount of XSS flaws, you're probably wrong.
> Publishing a brand new XSS cheatsheet, a super-awesome security
> testing tool, or a flaming hot secure development methodology is not
> changing this appreciably.
>
> But then, we wouldn't be here weren't it for the "silly" mistakes of
> the developers who built the foundations of the modern, horribly
> error-prone web. To which, they can respond that the security
> community wasn't exactly there to offer useful insight. And perhaps
> for the better, given that many of the "brilliant" ideas how to fix
> XSS once and for all are hopelessly out of touch.
>
> Rinse, repeat.
>
> /mz
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
>
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110213/06caab1c/attachment-0003.html>


More information about the websecurity mailing list