tag:blogger.com,1999:blog-13756280.post5678708015179306604..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Web Application Security Today - Are We All Insane?Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-13756280.post-35919766596094768552008-07-06T18:12:00.000-07:002008-07-06T18:12:00.000-07:00@ Rafal - But... sadly - when a "computer" looks f...@ Rafal - But... sadly - when a "computer" looks for vulnerabilities you get less-than-useful results, and you don't know whether you are testing the security of the application or the knowledge of the tool. Applications are like clay and no tool will ever be able to discover the truly interesting vulnerabilities. It's takes a combination of manual testing, automated testing, manual code review and automated code review.Jim Manicohttps://www.blogger.com/profile/12382834501997208557noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-10359472388469419592008-07-02T17:40:00.000-07:002008-07-02T17:40:00.000-07:00@Andre - easier said than done@Matt - But... sadly...@Andre - easier said than done<BR/><BR/>@Matt - But... sadly - when a "human" looks for vulnerabilities you get inconsistent results, and you don't know whether you are testing the security of the application or the knowledge of the security "expert"... I've written on this topic in the past, it's tough.Rafal Loshttps://www.blogger.com/profile/18106347834259269413noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-65835577018854919552008-07-02T17:38:00.000-07:002008-07-02T17:38:00.000-07:00This comment has been removed by the author.Rafal Loshttps://www.blogger.com/profile/18106347834259269413noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-83149690918764307562008-07-02T09:22:00.000-07:002008-07-02T09:22:00.000-07:00I do agree with andre that security needs to be bu...I do agree with andre that security needs to be built in to the SDLC, but as someone who works in a large corporation with various development teams, I find it hard to swallow the statement that "they don't need to know anything about security." In fact I heartily disagree. <BR/><BR/>The best way to ensure that developers write secure software is to make them think about security, and to educate them into how they should think about it. Essentially, increase awareness! If you don't know what is possible you can't write more secure code. This is just a fact of life. <BR/><BR/>Furthermore, allowing some tool to tell you what is wrong, security wise, is not sufficient and never will be. A tool can help, but should NEVER hold the sole responsibility of finding security bugs. It takes an intelligent person to spot security issues an recommend viable fixes. People can also check for things tools can't, like something that doesn't have a scanning signature yet.<BR/><BR/>Tools have their place, but in the end education is always more beneficial. It helps prevent future issues and gives you insight into why.Matt Pressonhttps://www.blogger.com/profile/02537815584811632732noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-51378959507812065362008-07-02T09:01:00.000-07:002008-07-02T09:01:00.000-07:00"beating the drum for software in the Software Dev..."beating the drum for software in the Software Development Lifecycle (SDL)"<BR/><BR/>This is a great point. It would be nice if developers focused on building software instead of writing it. Software that can be built every time with no errors is software that we can put more trust in. It's easier to add tests. It's easier to through an automated static checker or bytecode inspector that looks for certain security properties -- and have a lead developer go through the results.<BR/><BR/>They don't need to be security experts, or know anything about security. They need to be building code that doesn't have errors and is easily testable. Then we can solve these problems when they rebuild the web -- today, instead of 10 years in the future.drehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.com