Menu
▾
▴
Re: [Owasp-input-api-developers] yesterday's meeting summary
|
From: Alex R. <al...@se...> - 2002-06-18 21:39:17
|
On Tuesday 18 June 2002 04:10 pm, vertigo wrote: > I think this should be rewritten. I find the language harsh, > stereotyping, and needs to be run through a spell-checker. > (BTW, neither "moreso," nor "reckognize" are words in the English > language.) um, I'm pretty sure the word "draft" appears on there at least once...no, I cant spell (or type, apparently), but I figured we should at least get it out for discussion before picking every nit. I'll send out a spell checked version ASAP. > I think the part about educating the user is flat-out > incorrect. Education is beyond the scope of this project. then we fail our target audience by not providing them with the biggest tool in improving security: an understanding of the problems at hand. > The OWASP project as a whole is trying to do that, not this API. yes, and we should use those tools as part of our effort. No, we can't make the developer read, but we can provide good docs that address the issues up front and provide links etc to help them understand them. Half the value of good security tools is that they inform while they lock things down, and we should aspire to that. Security tools that we don't understand are mostly useless since they'll get missapplied and missunderstood as silver bullets. As a security engineer, I humbly suggest we not go down that road. > Data-type validation is not even mentioned. For good reason, it's not relevant in the macroscopic sense. Note the section about "language specific idioms". data-type validation qualifies as a language specific idiom. We also agreed that casting was the application developers problem (not that we shouldn't educate them about it). > This is, overall, an inaccurate description of the project. Well, that's for the consensus to decide. Feel free to jump in guys. PS, please trim replies. -- Alex Russell al...@Se... al...@ne... |
