[Owasp-leaders] Generating Passwords Hopw

Stephen de Vries stephen at twisteddelight.org
Wed Jan 21 11:20:21 EST 2009


On Jan 21, 2009, at 4:52 PM, Andrea Cogliati wrote:

> On Jan 21, 2009, at 10:33 AM, Stephen de Vries wrote:
>
>> I think trying to get web security issues addressed in the servlet
>> spec is aiming at too low a level.  You might have better luck with
>> web frameworks projects instead.  Similarly with Ruby, the language
>> itself is too low level, but getting security features added to the
>> Rails framework might be more feasible.
>
> I beg to differ. One of the issues with high level languages (like  
> Java, .NET & Ruby) is that the virtual machine/framework add a layer  
> of abstraction between the application and the OS. Developers lose  
> control of the low level details of memory management, which is good  
> in several circumstances as that avoids memory leaking, prevents  
> buffer overflows and so on, but also might pose a security risk.  
> What if I want to clear sensitive data from memory as soon as I'm  
> finished dealing with them? Or what if I want to prevent sensitive  
> data to be swapped to disk (unless it's encrypted, maybe)? The  
> language (and the framework) must allow some form of low level  
> control on memory in specific circumstances. And, of course, with  
> great power comes great responsibility.

Miscommunication.  :)  I'm talking about security for web apps.  XSRF,  
XSS, etc.





More information about the OWASP-Leaders mailing list