Re: [WEB SECURITY] PCI 6.6 Questions

["Dean H. Saxe" <dean@xxxxxxxxxxxxxxxxxxxxxx>]

Wow... that's a truly sad statement by the vendor.  Secure coding  
doesn't have to be slower than bad coding... look at Microsoft and  
the SDL.  *sigh*

-dhs


Dean H. Saxe, CISSP, CEH
dean@xxxxxxxxxxxxxxxxxxxxxx
"Free speech exercised both individually and through a free press, is  
a necessity in any country where people are themselves free."
    -- Theodore Roosevelt, 1918


On Jun 2, 2007, at 4:16 AM, Colin Watson wrote:

> Dear Dean
>
> > In my experience with WAF's I have never seen such behavior caught by
> > the WAF.  The example is trivial, but all too real.
> >
> > WAF vendors, what do you say?
>
> This discussion is excellent with lots of good issues raised.  I  
> support the use of WAF in combination with secure development  
> practices.  However, it concerns me when WAF suppliers suggest that  
> bad coding can be allowed if you have a WAF.  Paraphrasing what it  
> says on one product info page (since the sales text is  
> copyrighted), and I hope not to have altered it's general meaning:
>
>   REDUCED WEB APP DEV COSTS
>   Without a WAF developers have to look for security problems and  
> fix them....
>   With a **** developers can concentrate on rapid application  
> development
>   knowing that their code is protected...
>
> I find this stance unhelpful, even unacceptable and contrary to  
> what some of the helpful WAF community have been saying in this  
> discussion.  Unfortunately I think it devalues their credibility  
> and product.  It's a pity.
>
> Regards
>
> Colin Watson
> Technical Director
> Watson Hall Ltd
> http://www.watsonhall.com


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]