On Fri, Nov 22, 2013 at 09:05:44AM -0800, Will Sargent wrote: > I'm theoretically interested in theoretical papers, but as an engineer, I'm > continually frustrated that most of the focus in security seems to be on > exploits and breaking things, rather than on techniques and tools that can > be used for hardening and preventing attacks.
Amen to that! > I'm moving around my security website at http://hardenwebapps.com/ to be > more focused on tools and techniques vs just listing out the attacks and > "how to get pwned" exploits, but I don't find XSS attacks or fuzzing > intrinsically interesting. I'd be more interested in a tool that made XSS > / fuzzing attacks impossible. That's a useful site, I'll keep it around for reference. By the way, have you considered adding a section about Scheme/SXML to the XSS and SQL injection page? Haskell and other typed languages are interesting as well, since typing is a simple way to prevent non-HTML/SQL strings from being entered into HTML/SQL (this can be emulated with dynamic but strictly typed languages like Scheme or Ruby as well, but it's a little more cumbersome). Partly out of the same frustration you have with the security industry's focus on "today's hottest exploits", I wrote an article a while ago which discusses the ways in which injection attacks can be prevented properly, and how to *pervasively* prevent such attacks in software: http://www.more-magic.net/posts/structurally-fixing-injection-bugs.html Originally that post opened with a rant about the focus on exploits, but I decided to scrap it and keep the one line at the start :) If you'd like more info about SXML or other things I discussed, let me know and I'd gladly provide some examples. Cheers, Peter Bex -- http://www.more-magic.net _______________________________________________ langsec-discuss mailing list [email protected] https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
