Yes, but this is actually really hard; most scanners are completely
unaware of the security aspects of Javascript:
* Client side validation
* DOM injection
* XSS etc
Until scanners become more competent, a well written Manual of Style
which encourages / mandates how validation works and variables are
named is more desirable. Look at Chris Shifflett's approach for PHP:
$clean = array();
$clean['foo'] = someValidation($_POST['foo']);
That sort of naming scheme can truncate audits by literally days and
days on bigger apps. There's no reason not to encourage it in JS as
well.
thanks,
Andrew
On 30/03/2006, at 12:04 AM, Jeff Robertson wrote:
> Side question:
>
> If you find yourself in the position to influence the design of a new
> application, would you encourage the people coding it to optimize
> it for
> "scannability" so as to make your own job easier?
- application/pkcs7-signature attachment: smime_p7s
Received on Mar 29 2006
Intro
