hi sc-l,
There are some important good things about top ten lists that are worthy of
mention. The notion of knowing your enemy is essential in security (as it is
in warfare), and top ten lists can help get software people started thinking
about attacks, attackers, and the vulnerabilities they
On Tue, 13 Jan 2009, Gary McGraw wrote:
> I thought you might get a kick out of it.
I did! :-) Always good to have debates.
>Executives don't care about technical bugs
No, but they do what PCI says they have to (i.e. listen to the OWASP Top
Ten). They do care about the bottom line. They hat
Steve I agree with you on this one. Both input validation and output encoding
are countermeasures to the same basic problem -- that some of the parts of
your string of data may get treated as control structures instead of just as
data. For the purpose of this email I'm using a definition of "inpu
Hi all,
As some of you may know I've spent some time researching how to apply
Aspect Oriented Programming (AOP) to web application security. I
haven't been able to spend as much time on the topic as I'd like, but
I was able to come up with a proof of concept for Java EE
applications.
I created an
