On Wed, Sep 1, 2010 at 2:44 PM, David Connors <[email protected]> wrote: > On 1 September 2010 13:47, silky <[email protected]> wrote: > > > > It's hard to blame the programmers totally for this, as it's almost > > always a business issue that has lead to the poor implementation > > (security not being a priority). > > I don't know that it is fair to say it is 'almost always a business issue'. > > I don't think it really takes much more time to write a parameterised stored > procedure that does not execute SQL versus sticking strings together in a > haphazard/dodgy fashion.
Can't argue with that. > Developers should step up and take responsibility and pride in the quality > of the work they produce IMNSHO. Agreed. Back in the day when I cared about this sort of thing on a day-to-day basis, my thoughts were like yours. That programmers should see things are either being "correct" or "not correct" and when doing anything relating SQL Injection or just general handling of data in correct contexts, there are clear and obvious answers to this. But at some point I changed to thinking that, well, obviously there are correct and not correct things. So instead let us rate the ways of doing things, and determine the risks associated with each and the times for each approach. So it comes out that, any given programmer at some given company doesn't get much reward for spending time doing something securely if there is no risk, so you need to rate the risk and discuss it. Therefore it's obvious that the way progress in security will be made is via security becoming a priority for management, not only for developers. It's hard to do it correctly without putting some dedicated thought into it. > [ ... ] > -- > David Connors | [email protected] | www.codify.com > Software Engineer > Codify Pty Ltd > Phone: +61 (7) 3210 6268 | Facsimile: +61 (7) 3210 6269 | Mobile: +61 417 > 189 363 > V-Card: https://www.codify.com/cards/davidconnors > Address Info: https://www.codify.com/contact -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature."
