On Wed, 11 Jan 2012 01:33:18 CST, Laurelai said: > If you guys cant scan for basic sql injection and these kids can then > theres a real problem, thats my point here. That may or may not be true. Doesn't mean you have the right solution. Also, you seem to keeo forgetting that this is an asymmetric problem. The security guy has to scan *every single* entry point of *every single* app for an SQL injection, which could take a while for a large company. They are usually limited in how much time they have (two to four weeks, usually). And then scan for *every other* thing on the OWASP Top 10. One script kiddie gets lucky and finds one hole, they get their name in the news. > As the ancient proverb says "Set a thief to catch a thief" The fact it's a proverb doesn't make it correct or useful in today's world. http://www.answers.com/topic/set-a-thief-to-catch-a-thief Maybe in 1665 it was the best way to do it. I'd certainly hope that today with modern techniques like fingerprints and DNA and surveillance cameras, a detective is better at chatching thieves than another thief would be. Remember - the fact the guy knows how to pick a 5-tumbler lock doesn't mean he knows how to lift the prints off said lock after somebody else did it.
Attachment:
pgpzZ8VG0CssT.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/