Hosting Provided By

Re: Top Ten Web App Sec Problems

From: Alex Russell <alex(at)netWindows.org>
Date: Mon Dec 02 2002 - 13:19:53 EST

On Saturday 30 November 2002 13:21, Mark Curphey wrote:
> What we were looking at is more of a report like page 4 of this

That doesn't suprise me in the slightest, consdiering the ammount of confusion just on this list (and those on this list are actually interested in doing the right thing) about session management and it's kin.

> Is this accurate in your opinion ?

Couple of things to note about the paper:

only 45 samples were taken. presumeably, each of these companies agreed to participate, meaning that the worst (or the most press averse) are not likely represented, despite the anonymous nature of the sample set.

tools are downplayed in the analysis, yet no hard numbers are provided to substantiate this. All that is said is that components are interchangeable and should be treated this way. I'm not sure I'd buy this line, even if it had numbers to back it up.

Overall, I think the paper is a good start, but needs more substiation for many of it's claims. As for whether or not it reflects the real world, I'd be inclined to say that if a company is hiring @stake, they're probably already on the right track, so things are probably even worse than they look.

-- 
Alex Russell
alex@netWindows.org
alex@SecurePipe.com

Received on Mon Dec 2 15:40:10 2002

This message: [ Message body ]
Next message: phuc4(at)hushmail.com: "WebAppSec Training Courses in UK"
Previous message: Keith T. Morgan: "FW: Top Ten Web App Sec Problems"
In reply to: Mark Curphey: "Re: Top Ten Web App Sec Problems"
In reply to Mark Curphey: "Re: Top Ten Web App Sec Problems"
Next in thread: Andrew Jaquith: "Re: Top Ten Web App Sec Problems"
Reply: Andrew Jaquith: "Re: Top Ten Web App Sec Problems"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:45 EDT