Hi Jim, " There are plenty of sites that are perfectly x/html valid that are completely insecure."
Well, perhaps too many people have been listening to this drumbeat: "In fact, a non-developer: such as someone in marketing who uses Dreamweaver, could also do almost as much as a normal WAF by saving their content as valid XHTML. This would buy the organization basic application security functionality, which is what WAF also attempts to do." http://www.tssci-security.com/archives/2008/06/27/week-of-war-on-wafs-day-5-final-thoughts/ I rest my case. Stephen On Mon, Aug 25, 2008 at 7:05 AM, Jim Manico <[EMAIL PROTECTED]> wrote: > There are plenty of sites that are perfectly x/html valid that are > completely insecure. > > There are plenty of sites that follow perfect w3c and other standards that > are completely insecure. > > There are plenty of sites that are top-tier security vendors that, at least > in the past, have been insecure. > > - Jim > > At 11:11 AM -0400 8/24/08, Paco Hope wrote: > > > > Clearly the survey's content is only of interest if the HTML validates. > > > The publisher of the web page is not in the security business, > they are in the publishing business. But how can I respect > their publishing expertise if they fail a simple automatic > test. > > And how can their target audience of security folk, who depend > strongly on following standards respect the knowledge of a > publisher who does not follow publishing standards. > > > > On Aug 24, 2008, at 9:47 AM, "ljknews" <[EMAIL PROTECTED]> <[EMAIL > PROTECTED]> wrote: > > > > At 2:43 PM -0400 8/22/08, Gary McGraw wrote: > > > > BankInfoSecurity is running a survey on software security that some > of you may be interested in participating in. Try it yourself here: > http://www.bankinfosecurity.com/surveys.php?surveyID=1 > > Hmmm. http://validator.w3.org says there are 973 errors on that page. > > > > > -- > Jim Manico, Senior Application Security [EMAIL PROTECTED] | [EMAIL PROTECTED] > (301) 604-4882 (work) > (808) 652-3805 (cell) > > Aspect Security™ > Securing your applications at the sourcehttp://www.aspectsecurity.com > > --------------------------------------------------------------- > Management, Developers, Security Professionals ... > ... can only result in one thing. BETTER > SECURITY.http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference > Sept 22nd-25th 2008 > > > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > >
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
