RE: Standards for security

["Alun Jones" <alun () texis com>]

> -----Original Message-----
> From: Jeff Williams @ Aspect
> Sent: Sunday, January 11, 2004 4:06 PM
>
> I'm thrilled that the FTC is going after companies like GUESS 
> and PETCO for
> having SQL injection flaws. They're pointing to the OWASP Top Ten as
> evidence that there is a trade practice. This is the kind of 
> standard that
> works -- easy enough for lawyers to understand and apply in court.

I think it's great that companies are being required to live up to an
appropriate level of security, but I have a concern that we might be in a
climate of people pointing fingers at companies that have been caught out by
a random hacker proving a SQL injection flaw in their site - while at the
same time hoping that nobody's noticing their own flaws.

I guess my concern is that the size of the problem is not really well known,
because so much of it is held secret.  What percentage of customer databases
out there are vulnerable?  Is it the sort of number you could begin to
figure out, or would it simply be a best guess?

To what extent is this standard a fact, and to what extent is it a goal?

Alun.
~~~~
-- 
Texas Imperial Software   | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place   | [EMAIL PROTECTED]
Cedar Park TX 78613-1419  | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.