When does turning off IIS' ASP.NET 2.0 Web Service Extension considered a patch? However, in at least one of Microsoft's Patch Tuesday releases, this is exactly what happened (KB953300).
Really, Microsoft?
Actually, I believe it was a flawed fix that disabled the feature in the process of installing the updated dll.
Some references:
http://power-programming.co.uk/post/2009/10/21/ASPNET-stopped-working-after-installing-Microsoft-NET-Framework-20-Service-Pack-1-Update-KB953300-.aspx
http://www.asp.net/learn/whitepapers/ms03-32-issue
Wednesday, October 13, 2010
Monday, July 5, 2010
Security is not a concern for Web RIA? Really?
Ok, so I am a bit peeved these past few months... no, these past few years. In my few experiences as a developer of Rich Internet Application (RIA) interfaces
Why is it the two most prominent RIA platforms do not sufficiently support cryptography? For the hundreds of thousands of dollars spent by Adobe on its Creative Suites (Flash/Flex/Air/Actionscript), and the millions of dollars spent by Microsoft on Silverlight; why is security such a non-issue?
Java, whose applet UI has always had a poor user experience, has supported full cryptography and security since 1.3 (or 1.2 with the separate JSE package).
Yet, for the overwhelming majority of the market in rich user interfaces owned by Adobe and Microsoft, there is no security - unless you rely on SSL. Granted, Actionscript has some great contributors for some crypto; but where are the big boys?
There is a plethora of publicity surrounding enterprises that have allowed security breaches against their consumers; I feel the same onus should be put on the manufacturers of software development interfaces. If a company plans to sell a web-supported UI; it should be required to support [X] level of encryption; security data at rest (in memory) and in transit (beyond just SSL).
What do you think? Do organizations like OWASP have the backing to induce such changes?
Why is it the two most prominent RIA platforms do not sufficiently support cryptography? For the hundreds of thousands of dollars spent by Adobe on its Creative Suites (Flash/Flex/Air/Actionscript), and the millions of dollars spent by Microsoft on Silverlight; why is security such a non-issue?
Java, whose applet UI has always had a poor user experience, has supported full cryptography and security since 1.3 (or 1.2 with the separate JSE package).
Yet, for the overwhelming majority of the market in rich user interfaces owned by Adobe and Microsoft, there is no security - unless you rely on SSL. Granted, Actionscript has some great contributors for some crypto; but where are the big boys?
There is a plethora of publicity surrounding enterprises that have allowed security breaches against their consumers; I feel the same onus should be put on the manufacturers of software development interfaces. If a company plans to sell a web-supported UI; it should be required to support [X] level of encryption; security data at rest (in memory) and in transit (beyond just SSL).
What do you think? Do organizations like OWASP have the backing to induce such changes?
Subscribe to:
Posts (Atom)
