a lot of this gets back to a "framework versus roll your own debate"
http://1raindrop.typepad.com/1_raindrop/2005/05/wsmex_v_httpget.html
&
http://www.identityblog.com/2005/04/30.html#a210
also, for some good context security in ajax, rest, et. al. as well
as examples of how amazon and google deals with security check out
mark o'neill's deck from rsa:
http://radio.weblogs.com/0111797/2006/02/20.html#a44
-gp
On Feb 1, 2006, at 12:31 AM, Crispin Cowan wrote:
ljknews wrote:
I have been involved in a dialog with AJAX fans (which is
different from
experts) who say "you security folks just have to bow to the
inevitable
and figure out how to secure whatever mechanism we come up with.
This attitude is not unique to AJAX advocates. I remember holding this
view myself, while wrestling with the problems of producing a truly
transparent distributed operating system in the late 1980s and early
1990s; security was a bother that made things hard(er).
Of course, this is just lifetime employment for security people :) I
have certainly made a career out of securing things that are
inherently
insecure.
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/
~crispin/
Director of Software Engineering, Novell http://novell.com
Olympic Games: The Bi-Annual Festival of Corruption
_______________________________________________
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/
listinfo/sc-l
List charter available at - http://www.securecoding.org/list/
charter.php
_______________________________________________
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php