This is a mirror of official site: http://jasper-net.blogspot.com/

Kaminsky Issues Developer Tool To Kill Injection Bugs

| Monday, June 21, 2010
Researcher's new startup offers up new approach to preventing common SQL injection, XSS vulnerabilities in software

Renowned security researcher Dan Kaminsky today went public with the launch of a new venture as well as its first deliverable -- a tool for application developers that helps prevent pervasive string injection-type attacks, such as SQL injection and cross-site scripting (XSS).

Kaminsky says his New York-based startup, Recursion Ventures, will productize research that breaks new ground in both security and technology, in general. His first deliverable is Interpolique, a tool that offloads much of the security responsibility from the developer, which he considers crucial to yielding more secure applications. "Security development tends not to care how inconvenient it is for developers," Kaminsky says. "[This is] about meeting developers halfway."

The trouble with today's model for writing more secure code and sidestepping known injection attacks, Kaminsky says, is it makes development much more difficult and requires more work for developers. The result: Developers often don't bother adopting these practices at all, resulting in insecure code, he says. "A lot of advice we give in security tells people to write things in a way that makes code hard to work with and use ... I think that's unnecessary," he says. "Our hope is to make an easier way to write code that's also the most secure."

Interpolique -- which was released for security experts and IT to poke around at and analyze, but not to use operationally -- is basically a framework that lets developers continue to write code the way they always have, but with a tool that helps prevent them from inadvertently leaving string injection flaws in their code. It requires developers to use different prefixes that describe variables of the strings, without requiring any major changes to their coding style, he says. And the resulting code is automatically formatted in such a way that can't be easily abused by the bad guys.

Read more: dark Reading

Posted via email from .NET Info

0 comments: