Home page logo
/

webappsec logo WebApp Sec mailing list archives

Re: Finally - Curphey award 2004 to SPI Dynamics
From: Daniel Cuthbert <deeper () gmail com>
Date: Tue, 29 Jun 2004 14:33:54 +0100

I'm busy showing this to a bunch of developers here at work and the
general feeling is "err wow i didnt realise that was an issue"
The main issue is that when your taught to code/develop, security
never comes into the equation (perfect example is a friend is doing
his computer science degree and learning C and yet they still dont
mention anything about secure coding)

This product wont stop all the security holes, but should start
developers thinking about the whole security lifecycle when developing

and as for OWASP feeding input into it, yeah good idea.

On Tue, 29 Jun 2004 09:25:48 -0400, Stan Guzik <sguzik () immediatech com> wrote:
Hello,

In my option, whatever it is worth, developers are burdened with
countless issues like security, performance, stability, and etc...
Whenever we can encapsulate security items like input/output validations
and not have the developer spend lots of time on it the better.
Developers should spend time on features and functionality of software
and less time on the above.

As developers we need to get to a point where we have components and
procedures that we plug into our software and it takes care of security
for us.  In an idealistic world developers should not worry about
security, one day we'll get there...  The more we use security
components and the more time we spend improving our components will lead
to more secure software.

One of my developers attended the OWASP AppSec 2004 conference and came
back to me saying "We already do this stuff but he never knew about
it..."  I incorporated the OWASP Guide into our development procedures
and my developers just followed our standards.  As a manager I felt
proud.

Does anyone know of any open source components like the one developed by
SPI?

Thanks,
Stan Guzik




-----Original Message-----
From: Mads Rasmussen [mailto:mads () opencs com br]
Sent: Tuesday, June 29, 2004 7:47 AM
To: Mark Curphey
Cc: webappsec () securityfocus com; Jeff Williams
Subject: Re: Finally - Curphey award 2004 to SPI Dynamics

Mark Curphey wrote:
Here I am, depressed at the prospect of filling in mountains of
expense
claims from weeks of traveling and approving mundane mails to
webappsec
about XSS after XSS and along comes a shining light. At last an
"application
security" company that gets it ! Hats of to the folks at SPI and the
Curphey
Award for 2004 for leading the industry down the right path !

http://biz.yahoo.com/prnews/040628/clm006_1.html

Here is another link http://www.eweek.com/article2/0,1759,1617901,00.asp

I don't know about you guys but I have a bad feeling about this. I am
not sure this is the right path.

The article quotes Caleb Sima, founder and chief technology officer of
SPI Dynamics saying "It doesn't require developers to learn about
security," - "You really just need to validate input to eliminate most
application vulnerabilities."

Shouldn't you at least have a feeling for where the developers makes
their mistakes to be able to insert the right piece of secure code?

By all means it looks like a cool product, but how much can we trust it?

One of its features is, qoute
"Input Validation objects will check incoming data on web forms to
validate user-supplied input against a set of rules and prevent
parameter manipulation exploits, such as SQL Injection attacks."

Can we trust these "set of rules".
If they opened their technology, the OWASP team could contribute rules
to such a database and then we just might get somewhere by having a list

of f.ex regular expressions for using the validator classes in .Net or
input validation in general but that would probably not happen.

I am concerned that products like this just leads to lazy developers.

Jeff what do you think about this? You wanted to start an input
validation project based on filters, a database like described above
would be quite handy :o)

Just my two bits

--
Mads Rasmussen, M.Sc.
Open Communications Security
www.opencs.com.br
+55 11 3345 2525



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]