[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] cross site trace
- From: "Tom Brennan" <tomb@xxxxxxxxxxxxxxxxx>
- Subject: RE: [WEB SECURITY] cross site trace
- Date: Tue, 22 Jul 2008 19:01:54 -0400
that is one of the perfect reasons for a waf with custom rules ~ "identify
vuln, mitigate, add to dev list" while it's rating is being discussed of
course.. Until then its fixed <grin>
-----Original Message-----
From: Brian Shura [mailto:bshura@xxxxxxxxxxxxx]
Sent: Tuesday, July 22, 2008 6:24 PM
To: 'James Landis'; 'Arian J. Evans'
Cc: websecurity@xxxxxxxxxxxxx
Subject: RE: [WEB SECURITY] cross site trace
James Landis said:
"Or you can just *patch and save time
debating the risk of the issue*."
But if the issue really is very low risk, couldn't implementing the security
patch be more risky than just leaving the issue alone? Any time you make
changes to the web server you run the risk of introducing more bugs and
sometimes the "fix" could actually end up making things worse.
-Brian
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
Brought to you by http://www.webappsec.org
Search this site
|