All,
With due respect to those who work on ESAPI, Jim included, ESAPI is not the
only way to make a secure app even remotely possible. And I believe that
underneath their own pride in what they've done--some of which is very
warranted--they understand that. It's hard not to become impassioned
Greetings,
I was listening yesterday to an interview [1] on NPR with Dr. Atul
Gawande, author of Checklist Manifesto [2]. He describes the
problem that medical procedures (e.g., surgery) tend to have lots of
mistakes, mostly caused because of leaving out important steps. He
claims that 2/3 of
I think there's lots of applicability. People - especially techies - cut
corners. The pressure is usually to get things done in a certain amount
of time, and then add on that people like to generally expend as little
energy as possible, and viola! you see the problem.
Of course, the flip side is
John,
You do not need OWASP ESAPI to secure an app. But you need A ESAPI
for your organization in order to build secure Apps, in my opinion.
OWASP ESAPI may help you get started down that path.
An ESAPI is no silver bullet, there is no such thing as that in
AppSec. But it will help you
Jim,
Yours was the predicted response. The ref-impl. to API side-step does not fix
the flaw in the argument though.
No, you do not need A ESAPI to build secure apps.
Please re-read my email carefully.
Alternatives:
1) Some organizations adopt OWASP ESAPI's ref-impl.
2) Others build their
On Thu, Jan 7, 2010 at 7:11 AM, Jeremy Epstein
jeremy.j.epst...@gmail.com wrote:
Greetings,
So as I was listening, I was thinking that many of the same things
could be said about software developers and problems with software
security - every piece of software is unique, any non-trivial piece
To expand upon But you need A ESAPI for your organization briefly,
From a certain point of view, just as application can be PK-enabled, they can
be ES-enabled. Instead of a PKI toolkit, one uses an Enterprise Security API
toolkit. Instead of signature functions, think input validation
At 10:43 AM -0600 1/7/10, Stephen Craig Evans wrote:
I am VERY curious to learn how these happened... Only using the last
digit of the year? Hard for me to believe. Maybe it's in a single API
and somebody tried to be too clever with some bit-shifting.
My wife says that in the lead-up to the
On Thu, 7 Jan 2010, Stephen Craig Evans wrote:
I am VERY curious to learn how these happened...
My name is Steve. I had a 2010 problem.
An internal CVE support program was hit by this issue. Fortunately,
there weren't any fatal results and it was only an annoyance. However: I
had an
Stephen Craig Evans wrote...
Looks like there's another one:
Symantec Y2K10 Date Stamp Bug Hits Endpoint Protection Manager
http://www.eweek.com/c/a/Security/Symantec-Y2K10-Date-Stamp-Bu
g-Hits-Endpoint-Protection-Manager-472518/? kc=EWKNLSTE01072010STR1
I am VERY curious to learn how these
hi sc-l,
I am pretty sure that Brian Chess used to have this in his standard talk some
many years ago. Then again I am getting old.
Great analogy. Note that checklists DO NOT take the place of the intensive
care staff!
gem
On 1/7/10 10:11 AM, Jeremy Epstein jeremy.j.epst...@gmail.com
Larry Kilgallen wrote...
At 10:43 AM -0600 1/7/10, Stephen Craig Evans wrote:
I am VERY curious to learn how these happened... Only using the last
digit of the year? Hard for me to believe. Maybe it's in a
single API
and somebody tried to be too clever with some bit-shifting.
My wife
At 2:37 PM -0600 1/7/10, Wall, Kevin wrote:
Larry Kilgallen wrote...
At 10:43 AM -0600 1/7/10, Stephen Craig Evans wrote:
I am VERY curious to learn how these happened... Only using the last
digit of the year? Hard for me to believe. Maybe it's in a
single API
and somebody tried to be
Regarding PKI, we travel in different circles when it comes to that, perhaps
best to leave that one there.
Anywho... All sorts of apples and oranges are being mixed up here. There is the
security of a targeted app, of the components in the environment that it
depends on to run, of the
14 matches
Mail list logo