[WEB SECURITY] Re: [Webappsec] Corsaire whitepaper: Breaking the Bank (Vulnerabilities in Numeric Processing within Financial Applications)

["Andy Steingruebl" <steingra@xxxxxxxxx>]

On Tue, Jul 15, 2008 at 6:02 AM, Martin O'Neal
<martin.oneal@xxxxxxxxxxxx> wrote:
>
> Breaking the Bank
> (Vulnerabilities in Numeric Processing within Financial Applications)
>
> By Adam Boulton, Stephen De Vries, Kevin O'Reilly, July 15, 2008
>
> This paper draws attention to how the use of common programming APIs and
> practices could lead to flaws in the processing of numeric data, which
> could in-turn allow attackers to manipulate the outcome of transactions
> or otherwise interfere with the accuracy of calculations.
>

You've pointed out some clearcut issues in using floats to represent
financial values.  Except in cases where you need to specifically deal
with calculations likely to result in rounding (or the need for it)
specific data structures that model things like dollars and cents are
a much better solution, yes?

As in, do fixed precision handling of all currency.  There are
certainly cases where this isn't possible, but for most financial
applications that simply need to do things like track a balance,
handle in/out flows, etc.  you don't ever need to round, and can use
relatively simple fixed-precision for this sort of thing.

Yes?

-- 
Andy Steingruebl
steingra@xxxxxxxxx

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA