[Owasp-codereview] [Owasp-ireland] OWASP Ireland - September 2009 Panel discussion

davidrook david.rook at realexpayments.com
Wed Jul 15 05:10:24 EDT 2009

For controversy dial C for Conor! :)

I have one as well: "The path to secure software does not start with 
specific vulnerabilities".

I think anyone on the Irish mailing list will know I have been saying 
since the release of the Sans Top 25 list earlier this year that I don't 
think lists of vulnerabilities is the optimal approach to developer 
education and ultimately secure software. We as software security 
professionals are guilty of telling to developers to prevent a list of 
vulnerabilities instead of telling to develop securely, yes I do feel 
there is a difference here. Think of it this way, when you are learning 
to drive does the instructor give you a list of ways to crash a car and 
hope you figure out how to avoid all of those different ways of crashing 
or does he teach you how to drive safely and within the rules of the road?

Everyone without fail in the application security community is guilty of 
doing this yet we blame the developers when the applications are 
insecure, are the security professionals not just as culpable for not 
educating developers correctly? Whether it be the OWASP top ten, PCI DSS 
Requirement 6.5 or companies offering secure development training they 
all focus on a small set of vulnerabilities instead of focusing on a set 
of secure development principles such as Input Validation, Error 
Handling and Secure Communications.


Conor Mc Goveran wrote:
> HTML5 could have been a unifying standard which may have halted the 
> continued fracturing of the web as a platform, alas with the failure 
> of the browser vendors to unify behind this standard (dropping the 
> video tag due to lack of agreement on the codec) this will be the 
> biggest missed opportunity of the decade. ALL of the developments that 
> are good about the internet/web have come from a base of widely 
> adopted and largely consistent implementation of the standards. The 
> failure to bring the HTML standard into the shiny new world of the web 
> application is the start of the end for web applications. Building web 
> applications is hard because HTML/Javacript is definitely not a good 
> foundation for an application platform. The reason it continues to 
> increase in popularity is because HTML/Javascript while far from 
> perfect is well implemented (despite Microsofts best efforts) and 
> standardised even across OS/Browser combinations. Now we have AIR, 
> Silverlight, Flash, Quicktime, Shockwave blah blah blah. All 
> proprietary, all different, all crap.
> The web is dead. Dead? Yeah dead. US multinationals have screwed the 
> pooch again. Can industry and in particular the US software behemoths 
> actually ever create an innovative diverse and standardised eco-system 
> for technology? Can they ever understand that actually starting to 
> compete with each other on innovation rather than the red eyed craze 
> of trying to dominate an industry through proprietary lockin will 
> benefit everyone? Or is this the sole preserve of the academic 
> community? I thought a quote from a Microsoft employee made to me in 
> 2003 summed it all up when speaking about web services 'If only 
> everyone had used DCOM, none of this would have been neccessary.' Sigh!
> 2009/7/14 Eoin <eoin.keary at owasp.org <mailto:eoin.keary at owasp.org>>
>     Guys,
>     Any ideas of a *good* topic for a panel discussion which may
>     engage the initiated and non alike?
>     Something controversial? or bi partisan?  ("The world is flat" or
>     "yes earth is in the middle of the universe") in order to make for
>     an interesting discussion?
>     Whoever comes up with the best one I'll buy them as much Guinness
>     as they can stomach (Tom Brennan not included).
>     -ek
>     -- 
>     Eoin Keary CISSP CISA
>     https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference
>     OWASP Code Review Guide Lead Author
>     OWASP Ireland Chapter Lead
>     OWASP Global Committee Member (Industry)
>     Quis custodiet ipsos custodes
>     https://twitter.com/EoinKeary
>     _______________________________________________
>     Owasp-ireland mailing list
>     Owasp-ireland at lists.owasp.org <mailto:Owasp-ireland at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-ireland
> -- 
> Conor Mc Goveran,
> Managing Director,
> Onformonics Ltd.
> Onformonics Ltd, Mount Carmel Hse, Firhouse Rd, Dublin 24, Ireland.
> Company Reg: 45503
> VAT: 9682767B
> Ph:        +353-14407576
> Mobile:  +353-872038598
> ------------------------------------------------------------------------
> _______________________________________________
> Owasp-ireland mailing list
> Owasp-ireland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-ireland

David Rook | david.rook at realexpayments.com
Security Analyst

Realex Payments
Enabling thousands of businesses to sell online.

Visit our new website: www.onlinepayments.ie 

Follow us on Twitter! www.twitter.com/realexpayments

Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
|t: +353 1 2808559 | f: +353 1 2808538  | www.realexpayments.com 

1 Lyric Square, London W6 0NB
t: +44 203 1785370 | f: +44 207 6917264  | www.realexpayments.co.uk 

27 avenue de l'Opéra, 75001 Paris. 
t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51

Visit our other Realex Payments websites: 

Pay and Shop Limited, trading as Realex Payments has its registered office at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin, Ireland and is registered in Ireland, company number 324929. 

This mail and any documents attached are classified as confidential and are intended for use by the addressee(s) only unless otherwise indicated. If you are not an intended recipient of this email, you must not use, disclose, copy, distribute or retain this message or any part of it. If you have received this email in error, please notify us immediately and delete all copies of this email from your computer system(s).

More information about the Owasp-codereview mailing list