|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Paul Melson (pmelson
gmail.com)
Date: Tue Apr 20 2010 - 15:14:19 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> Question: You are doing code review and come across a javascript
> application that does not do input validation. Would you have the
> developer go back and write in input validation? If so, why? If not,
> why?
Where does the app run? If it's client-side, and there's no user-interface
gains, I would leave it alone and settle for validating that any server-side
component of the app is handling input validation. The reason being the
obvious - that client-side input validation is trivially circumvented, so
it's not worth my time or the developer's.
PaulM
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]