Rich, I do wish to be clear that when I say most significant I mean that purely in a quantitative and not a qualitative manner. Vulernabilities associated with client-side scripting are certainly not the most harmful forms of security intrusion.
> These are (a) web browser and (b) operating system vulnerabilities, > and are quite readily mitigated by making sensible choices about both. I draw a solid distinction between mitigation and solution. A mitigation is a proactive action to ensure systems or data in your area of responsibility are protected against security breaches from both internal and external users. That is an attempt to avoid the problem, and it is not a solution to the problem. A solution is a recommendation that intends to eliminate the problem, which thereby reduces the scope of mitigation in a given security assessment. In other words, if actions to a system were really a solution to client-side security vulnerabilities then those security flaws must never again occur upon that system, correct? > If, on the other hand, poor choices of web browser and/or operating > system (or mail client, for that matter) are made, then it really > doesn't matter whether traffic moves via HTTP or SMTP or anything > else: those systems WILL be compromised. Users can only be protected from themselves through adherance to policies, procedures, and relevant training. That is leadership solution and not a technology solution. Protecting user from themselves does not solve exploitable weaknesses in technology. In these cases you have to simply fix the technology to disallow exploitation. If this were not so software companies would not spend millions of dollars to continually patch their products if administrators and management could so easily retrain their users. Thank you, Austin
