Menu
▾
▴
Re: [Owasp-input-api-developers] Vision Document
|
From: Matthew W. <wi...@ce...> - 2002-08-12 23:48:40
|
On Mon, 12 Aug 2002 17:02:56 -0500 (CDT) Alex Russell <al...@se...> wrote: > On Mon, 12 Aug 2002, John Percival wrote: > > > Hi guys, > > > > I just had a read through, and that doc looks clear and informative. The > > only thing that I would question, without wanting to open a can of worms, is > > the choice not to develop for DCOM/.NET technology. I am not in a position > > to create such filters, but is it our position to judge what language our > > 'customers' will be using? > > No, and perhaps doing a VBScript/D-flat verion is worth considering. > That said, developers using MS tech are starting from an inherently > disadvantaged position WRT to security (IIS, MSSQL, etc..), and probably > have bigger problems. > > I think we can safely say that we won't refuse a contributed MS-tech > version of the filters once we have them working in a reference > language, but I for one won't be spending much (any?) time on that port > as I simply don't have any MS software to develop against. Perhaps when > Mono goes gold... Completely agreed. If there is a developer who wants to contribute a VBD/Db I say more power to them, but I can't see myself spending any appreciable amount of time developing on/for this platform. (Hey, I had to play with ISS's Internet Scanner and almost went out of my mind -- go Nessus!) In the end, I suppose its not fair to rule out these languages based on their vendor or said vendor's intentions, but as Alex said, anyone developing for this platform using these tools probably has more to worry about. (Though the latest OpenSSL escapade doesn't say much for us, other than turn-around time on patches.. :->) > > Additionally, providing filters for MS languages, while undeniably > necessaray, almost condones their use for security-critical applications, > and I think that if we ever do ship such a port, we should point out to > developers the insecure posture that relying upon a vendor like MS > inherently creates. I wish I would have read this paragraph before writing all of that up there :-) > > Should we grease the squeaky wheel? I don't have a strong opinion one way > or the other, save that for the time being I'm "out" when it comes to > developing such a port. > This document, though, is most definitely on the write track (save the fact that its not in PDF or PS, but rather MSWord -- Thanks OpenOffice!). In short, I've a "Yes" vote. -matt |
