http://www.darkreading.com/database_security/security/app-security/showArticle.jhtml?articleID=225700088 By Kelly Jackson Higgins DarkReading June 14, 2010 Renowned security researcher Dan Kaminsky today went public with the launch of a new venture as well as its first deliverable -- a tool for application developers that helps prevent pervasive string injection-type attacks, such as SQL injection and cross-site scripting (XSS). Kaminsky says his New York-based startup, Recursion Ventures, will productize research that breaks new ground in both security and technology, in general. His first deliverable is Interpolique, a tool that offloads much of the security responsibility from the developer, which he considers crucial to yielding more secure applications. "Security development tends not to care how inconvenient it is for developers," Kaminsky says. "[This is] about meeting developers halfway." The trouble with today's model for writing more secure code and sidestepping known injection attacks, Kaminsky says, is it makes development much more difficult and requires more work for developers. The result: Developers often don't bother adopting these practices at all, resulting in insecure code, he says. "A lot of advice we give in security tells people to write things in a way that makes code hard to work with and use ... I think that's unnecessary," he says. "Our hope is to make an easier way to write code that's also the most secure." Interpolique -- which was released for security experts and IT to poke around at and analyze, but not to use operationally -- is basically a framework that lets developers continue to write code the way they always have, but with a tool that helps prevent them from inadvertently leaving string injection flaws in their code. It requires developers to use different prefixes that describe variables of the strings, without requiring any major changes to their coding style, he says. And the resulting code is automatically formatted in such a way that can't be easily abused by the bad guys. [...] _________________________________________________________________ Attend Black Hat USA 2010, hosted at Caesars Palace in Las Vegas, Nevada July 24-29th, offering over 60 training sessions and 11 tracks of Briefings from security industry elite. To sign up visit http://www.blackhat.comReceived on Tue Jun 15 2010 - 22:22:44 PDT
This archive was generated by hypermail 2.2.0 : Tue Jun 15 2010 - 22:28:35 PDT