I just thought I'd give you some feedback on the "Desktop Application Security" section here: Both of the sections below seem to be subheadings under this topic: |
pastedGraphic.pdf
Description: Adobe PDF document
1. Under this heading the sub-section of the document titled "Lack of Rate Limiting" states that we should use a "CAPTCHA" to slow down hackers. This didn't make much sense to me as when I think of Desktop Application I think of the few that I've used: Twitteriffic, Tweetie, and Destroy Twitter. All of those have direct control of their UI. Although a CAPTCHA could be used to limit scripted behaviors, it would probably be more effective just to directly limit the resource. It's not that a CAPTCHA *couldn't* be used, it's just not something I see very often in a desktop application. It seems to me that CAPTCHA would be more appropriate for a multi-user service than a single user desktop app -- so I was wondering if this section of the document was in the wrong area. 2. Under the sub-section Lack of Information about Threats, it begins, "If you think there's an issue with your web application, how do you find out for sure?" This is clearly at least a typo in the *desktop* app section, but it goes on to describe creating a "dashboard" of critical stats. Again, this would make more sense in the context of service administrator, but I'm having trouble understanding what this would mean to a desktop application developer. Am I misunderstanding what is meant by "Desktop Application?" Does that mean something other than the examples I mentioned? Thanks, On Jun 29, 2009, at 3:34 PM, Alex Payne wrote: I wanted to point out a blog post (http://apiblog.twitter.com/security-best-practices-for-twitter-apps) that addresses the coming "Month of Twitter Bugs". Long story short: Twitter is in the loop, we've got security at the forefront of our daily work right now, and we're available to help if your application is identified as vulnerable or compromised. |
