Re: [SC-L] Survey
At 7:21 PM -0400 8/24/08, [EMAIL PROTECTED] wrote: The publisher of the web page is not in the security business, they are in the publishing business. But how can I respect their publishing expertise if they fail a simple automatic test. Well, I guess that most of web developers are not validating with tools such as w3 validators, but more interesting, validating with different browsers... My experience is that browsers succeed on standards-compliant pages. Standard compliance should be the first test. If it subsequently fails on a particular browser, it is a browser defect which may or may not be of interest to the publisher. -- Larry Kilgallen ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Survey
ljknews wrote: My experience is that browsers succeed on standards-compliant pages. Standard compliance should be the first test. If it subsequently fails on a particular browser, it is a browser defect which may or may not be of interest to the publisher. Agreed that, talking only about HTML, browsers are okay with standard page. But nowadays, pages are not only HTML, but CSS, JavaScript, etc. Then the validators are not useful: a CSS will most likely have different rendering even if it's w3 compliant. Then, talking about publishers, of course they care about particular bugs of browsers, and that's why web interface are tough to do! You need to have a good/almost-consistent rendering on different browsers... no matter if they have bugs or not. --Romain http://rgaucher.info ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Survey
How does xHTML help stop access control vulnerabilities? Authorization issues? CSRF problems? And who is to say that an attacker cannot still do server side injection (sql injection, ldap injection) or timing attacks? I'm just getting started. xHTML is only one tiny piece of the outbound encoding problem. Hey, while we are at it - who is to say that someone mounting a MITM attack could not modify/corrupt data and still be (woo ho) xHTML valid? - Jim Hi Jim, There are plenty of sites that are perfectly x/html valid that are completely insecure. Well, perhaps too many people have been listening to this drumbeat: In fact, a non-developer: such as someone in marketing who uses Dreamweaver, could also do almost as much as a normal WAF by saving their content as valid XHTML. This would buy the organization basic application security functionality, which is what WAF also attempts to do. http://www.tssci-security.com/archives/2008/06/27/week-of-war-on-wafs-day-5-final-thoughts/ I rest my case. Stephen On Mon, Aug 25, 2008 at 7:05 AM, Jim Manico [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: There are plenty of sites that are perfectly x/html valid that are completely insecure. There are plenty of sites that follow perfect w3c and other standards that are completely insecure. There are plenty of sites that are top-tier security vendors that, at least in the past, have been insecure. - Jim At 11:11 AM -0400 8/24/08, Paco Hope wrote: Clearly the survey's content is only of interest if the HTML validates. The publisher of the web page is not in the security business, they are in the publishing business. But how can I respect their publishing expertise if they fail a simple automatic test. And how can their target audience of security folk, who depend strongly on following standards respect the knowledge of a publisher who does not follow publishing standards. On Aug 24, 2008, at 9:47 AM, ljknews [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: At 2:43 PM -0400 8/22/08, Gary McGraw wrote: BankInfoSecurity is running a survey on software security that some of you may be interested in participating in. Try it yourself here: http://www.bankinfosecurity.com/surveys.php?surveyID=1 Hmmm. http://validator.w3.org says there are 973 errors on that page. -- Jim Manico, Senior Application Security Engineer [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] | [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] (301) 604-4882 (work) (808) 652-3805 (cell) Aspect Security™ Securing your applications at the source http://www.aspectsecurity.com --- Management, Developers, Security Professionals ... ... can only result in one thing. BETTER SECURITY. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org mailto:SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ -- Jim Manico, Senior Application Security Engineer [EMAIL PROTECTED] | [EMAIL PROTECTED] (301) 604-4882 (work) (808) 652-3805 (cell) Aspect Security™ Securing your applications at the source http://www.aspectsecurity.com --- Management, Developers, Security Professionals ... ... can only result in one thing. BETTER SECURITY. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Survey
At 9:12 AM -1000 8/26/08, Jim Manico wrote: How does xHTML help stop access control vulnerabilities? Authorization issues? CSRF problems? It is indicative of the caliber of the people who built the site. My immediate interest is that validation combats browser crashes. I am not interested in dealing with people who cannot get the simple things right. -- Larry Kilgallen ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Survey thread killer
Hi SC-Lers, With these last 2 messages, let's kill off the survey thread, please. I allowed it to continue on--probably longer than I should have-- because there seemed to be valid and interesting points being made on both sides of the debate. But that seems to have run its course, so let's please let it die out. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Survey
On 8/26/08 3:03 PM, ljknews [EMAIL PROTECTED] wrote: I am not interested in dealing with people who cannot get the simple things right. Right. Because we all know that the HTML, xHTML, DHTML, CSS, and the related standards are really simple. Nothing to it. Writing valid HTML in our applications is a snap. And when management says so, why are we a week late getting the application into production? they'll be pleased to hear that it was to make sure the HTML on all 300 screens validated. Nevermind that the app was satisfying its users and business owners when it didn't validate. It's important to make the validation programs happy, not the users or the business. As it is, web applications are shoved out the door with insufficient attention paid to their functional capabilities. Then there's the insufficient attention paid to their security capabilities. Standards compliance is orthogonal to all that. I'd rather have a functional and sufficiently secure web site that was non-compliant than one that was compliant but lacking in functionality or security. Either way, I think Gary's point in putting the survey out on this list was to see if we were interested in the survey. It's a shame we've gone off on a tangent about the value of validating HTML. Paco -- Paco Hope, CISSP Technical Manager, Cigital, Inc http://www.cigital.com/ * +1.703.585.7868 Software Confidence. Achieved. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Survey
Making a very complex Ajax rich-client web applications perfectly xHTML valid is not easy. Most of the enterprise world goes way beyond simple flat file xHTML. Add in (the real reality of) highly database-drive dynamically generated javascript/ajax heavy pages, and I continue to conjecture that perfect xHTML is not only not that important but very difficult to accomplish. Or at least it's not simple as you state below. Heck, who is to say that you can't accomplish XSS or other client-side attacks and still be xHTML compliant? I think you would go a lot further in securing your apps if you got programmers to html entity encode output data, actually do access control right, encode data on the server side to prevent injection attacks, etc. Sure the WAF world would like xHTML - but we do not live in a perfect world. Most sites are not xHTML compliant in the enterprise. - Jim At 9:12 AM -1000 8/26/08, Jim Manico wrote: How does xHTML help stop access control vulnerabilities? Authorization issues? CSRF problems? It is indicative of the caliber of the people who built the site. My immediate interest is that validation combats browser crashes. I am not interested in dealing with people who cannot get the simple things right. -- Jim Manico, Senior Application Security Engineer [EMAIL PROTECTED] | [EMAIL PROTECTED] (301) 604-4882 (work) (808) 652-3805 (cell) Aspect Security™ Securing your applications at the source http://www.aspectsecurity.com --- Management, Developers, Security Professionals ... ... can only result in one thing. BETTER SECURITY. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
