mailing list archives
Re: Finally - Curphey award 2004 to SPI Dynamics
From: Mads Rasmussen <mads () opencs com br>
Date: Tue, 29 Jun 2004 08:46:32 -0300
Mark Curphey wrote:
Here I am, depressed at the prospect of filling in mountains of expense
claims from weeks of traveling and approving mundane mails to webappsec
about XSS after XSS and along comes a shining light. At last an "application
security" company that gets it ! Hats of to the folks at SPI and the Curphey
Award for 2004 for leading the industry down the right path !
Here is another link http://www.eweek.com/article2/0,1759,1617901,00.asp
I don't know about you guys but I have a bad feeling about this. I am
not sure this is the right path.
The article quotes Caleb Sima, founder and chief technology officer of
SPI Dynamics saying "It doesn't require developers to learn about
security," - "You really just need to validate input to eliminate most
Shouldn't you at least have a feeling for where the developers makes
their mistakes to be able to insert the right piece of secure code?
By all means it looks like a cool product, but how much can we trust it?
One of its features is, qoute
"Input Validation objects will check incoming data on web forms to
validate user-supplied input against a set of rules and prevent
parameter manipulation exploits, such as SQL Injection attacks."
Can we trust these "set of rules".
If they opened their technology, the OWASP team could contribute rules
to such a database and then we just might get somewhere by having a list
of f.ex regular expressions for using the validator classes in .Net or
input validation in general but that would probably not happen.
I am concerned that products like this just leads to lazy developers.
Jeff what do you think about this? You wanted to start an input
validation project based on filters, a database like described above
would be quite handy :o)
Just my two bits
Mads Rasmussen, M.Sc.
Open Communications Security
+55 11 3345 2525