.org's are unrestricted domains. There are no rules governing behavior on.org - it's just like.com. Anyone can get their paws on a.org and use them for profit, legally.
If you read the SANS Newsbites, you see breach after breach and people getting sacked or worse. Ouch, you are implying SANS has integrity. Newsbites is a advertising vehicle for one of the most low integrity organizations in the security industry. For real information, Bugtraq is where it's at.
Cover your ass. This is the only way to roll. Email the the Security Officer about your disagreement over the issue at hand, and include factual evidence. CC the CEO. Print out a copy for your personal records and use registered mail to mail it back to yourself. When the PCI/SOX/HIPPA/etc shit hits the fan, bust out the sealed envelope.
Just to acknowledge your point - if I had a small company where I had tight control of the software engineering and operations processes, I back your comments.
If I was responsible for a fortune 50 type environment, I'd rather have the data encoded right away. I'd rather see ugly double-encoded web pages than have to explain why an admins account was hijacked.
No, leaving unencoded data in the database does not leave one open to XSS attacks, tools or not. If a tool dumps unescaped HTML to a browser, it's broken, and needs to be fixed. I the real world, with large enterprises, using old "broken" tools is common. A broken legacy tool causing a large vulnerability is still a vulnerability. You are correct in the ideal world, but the reality of "large enterprise computing" dictates more intelligent behavior.
Then you leave yourself open to XSS attacks. You do not want to leave XSS attack code in your DB. Log management tools, web database tools and other possibilities may cause non encoded data to be executed when you least want it to.
If you do not whitelist, and you do not encode, you are screwed. This is just AppSec 101.
Programming is not supposed to be easy. Many online docs show how to use use ParameterizedQueries properly. No language is foolproof.
Also, quoting of user input is never enough. If you are going to accept all user input, you need to, at least, do full HTML Entity encoding before you place the data in the database in order to prevent all attack categories.
And even then, it's dangerous to do anything other than whitelist validation. Accepting all user input is foolish.
The one who had a clue as to what I was talking about excited me, until he told me the solution was to look for "SELECT", "UPDATE", and "DROP" in user strings and signal an error if they're found. DOH!
Blacklist validation is BAD. Use whitelist validation (for XSS and others exploits) in ADDITION to using parametrized queries with bound variables for SQL injection protection.
Parametrized queries ALONE are not enough. I've seen programmers (in Java) use the PreparedStatement class but still build their entire SQL statement via string concatenation and just slam it through the PreparedStatement. The real trick is, again, parametrized queries with bound variables.
if it is rote, repeatable, coding with very clear and concise requirements Uh, what industry would that be? I've been a software engineer for 11 years and I have yet to be in a project like you are describing above.:) The reason why American programmers are still at a premium is that they are businessmen AND engineers - they can handle constant requirement change. IE: the real world.
An offensive measure would also mean sending a few burley Marines to the offenders office to beat the tar out of them. Now thats that I call "Intrusion Prevention"
Yup. "Do no Evil" does not mean "Don't screw your opponents". That is like saying that American troops shooting at Nazi's during WW2 was evil. Google went to war to help consumers. GOOD WORK, GOOGLE!
Dude, the poster is correct. Google "swiss bank nazi gold", "swiss bank terrorism" etc. The Swiss bank system has a very long history of privately holding large sums of money for scumbags.
The internet's main problem is between the monitor and keyboard;-) I know you meant well, but that is a very ignorant statement. I can be casually surfing the web with a modern browser, and if I hit a site that was hijacked by an attacker, even if I have modern security software installed, I can get hit with JavaScript code that can escape the sandbox, break single origin policy, or (in the past) flat out run OS commands. The browser is an operating system. And a very insecure one at that.
Photoshop:
File Open, Locate file, single click
select generic crop tool
Click and drag to select desired area.
enter
Gimp has 2 non-intuitive steps, not to mention try to crop very small images.
Those of you who have never used GIMP, I dare you to download it and just crop a simple file. It's such a retarded piece of software. I still love ps7. loads fast + does everything I need. Online PS is rather impressive, actually. Nicely done.
Slashdot Mirror
.org's are unrestricted domains. There are no rules governing behavior on .org - it's just like .com. Anyone can get their paws on a .org and use them for profit, legally.
"I don't wanna patch up, I'm a Toy's R Us admin, there's a million exploits at Toys' R Us that I can pwn with!"
This is an executable, and AVG does not include coverage right now. FF will not save you, either.
Translation: PWND
http://www.virustotal.com/analisis/13bfb6913f9c328c7b657fce4ba4c731
... and think it means he works for Microsoft? MS spent billions to improve AppSec. They take is seriously, because customers screamed so loud. The secret? Fortune *300*. The the company you are looking for is here: http://money.cnn.com/magazines/fortune/fortune500/2007/full_list/201_300.htmlJust to acknowledge your point - if I had a small company where I had tight control of the software engineering and operations processes, I back your comments. If I was responsible for a fortune 50 type environment, I'd rather have the data encoded right away. I'd rather see ugly double-encoded web pages than have to explain why an admins account was hijacked.
Then you leave yourself open to XSS attacks. You do not want to leave XSS attack code in your DB. Log management tools, web database tools and other possibilities may cause non encoded data to be executed when you least want it to. If you do not whitelist, and you do not encode, you are screwed. This is just AppSec 101.
Programming is not supposed to be easy. Many online docs show how to use use ParameterizedQueries properly. No language is foolproof.
Also, quoting of user input is never enough. If you are going to accept all user input, you need to, at least, do full HTML Entity encoding before you place the data in the database in order to prevent all attack categories.
And even then, it's dangerous to do anything other than whitelist validation. Accepting all user input is foolish.
Blacklist validation is BAD. Use whitelist validation (for XSS and others exploits) in ADDITION to using parametrized queries with bound variables for SQL injection protection.
Parametrized queries ALONE are not enough. I've seen programmers (in Java) use the PreparedStatement class but still build their entire SQL statement via string concatenation and just slam it through the PreparedStatement. The real trick is, again, parametrized queries with bound variables.
An offensive measure would also mean sending a few burley Marines to the offenders office to beat the tar out of them. Now thats that I call "Intrusion Prevention"
You *PAY* for XP licenses? Crikey!
Thick Client: C++ Enterprise Web Server-side: Java Web Client: xHTML/JavaScript/CSS/xForms Non-Enterprise Web Server-side: PHP/Ruby
Tax evasion is not Liberty - it's criminal activity. Responsibility and accountability comes with this thing "Liberty" you toss around so haphazardly.
Dude, the poster is correct. Google "swiss bank nazi gold", "swiss bank terrorism" etc. The Swiss bank system has a very long history of privately holding large sums of money for scumbags.
Parents are still in safe browsing grade school. Let me help you get right to the PhD level of safe browsing - http://www.tssci-security.com/archives/2008/03/25/security-and-safe-browsing-for-firefox/
Can the winner turn in that crappy MacBook air for a real laptop like a Dell XPS M1730?
Photoshop: File Open, Locate file, single click select generic crop tool Click and drag to select desired area. enter Gimp has 2 non-intuitive steps, not to mention try to crop very small images.
Those of you who have never used GIMP, I dare you to download it and just crop a simple file. It's such a retarded piece of software. I still love ps7. loads fast + does everything I need. Online PS is rather impressive, actually. Nicely done.