|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Sverre H. Huseby (shh
thathost.com)Date: Wed Sep 26 2001 - 15:05:50 CDT
Just a few comments on the categories:
First: I've created a web application security course that's been
given to a couple of hundred web developers in Norway this far. In
the course, the major categorization level is "attacks against the
server" and "attacks against the user". The first category contains
methods by which remote users may somehow abuse the server (typically
input stuff). The second category is about how to use a web
application to get to (or abuse) its users (typically output stuff).
Don't know if my categorization makes any more sense than what has
already been proposed, but I wanted to mention it.
Second: Dennis does a good job of keeping his category list updated.
It seems now that the list starts to contain what I normally call
"infrastructure security stuff", of which many books are already
available (correct me if I misunderstand your terms). DNS spoofing,
packet sniffing, debug settings, sample hacking, finger printing and
more. Developers should know about it, but there are many sources of
this information. Short appenices may be a good thing, but I'm not
sure it would be correct to give it the same focus as, say, input
validation in this context.
Third: I would like to suggest a couple of additions. The first one
is simple, tell the developers that clear text passwords are bad. The
second is more complex: I can't find Client Side Trojans [*] on the
list. I still think this is one of the most potent security problems
on the web. (No, "Application Trojans" doesn't sound like the same
thing.)
[*] http://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan
Sverre.
-- shh
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]