tag:blogger.com,1999:blog-13756280.post811776715529714549..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Web Application Security Professionals Survey (Oct 2007)Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger20125tag:blogger.com,1999:blog-13756280.post-64702527062668558702016-08-26T02:01:40.316-07:002016-08-26T02:01:40.316-07:00Thanks for sharing this survey about web applicati...Thanks for sharing this survey about web application security. <br />Really, It's too informative post. Keep posting such post on. <br /><br /><a rel="nofollow">Mobile Application Security Audit Company</a>Camrinhttps://www.blogger.com/profile/17686225533424005996noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-17605289114446223652010-10-24T11:18:59.758-07:002010-10-24T11:18:59.758-07:00It would be interesting to repeat the survey and s...It would be interesting to repeat the survey and see what has changed over time. <br />Glenn Davis<br />DataStar<br />http://www.surveystar.comGlenn Davishttp://www.surveystar.comnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-69063737352837527012010-10-02T04:54:26.867-07:002010-10-02T04:54:26.867-07:00wow, really very nice survey about web application...wow, really very nice survey about web application security. Thanks for sharing nice information. Awesome post.Web Development Companyhttp://www.inforlinx.comnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-15608028971460440612008-07-01T07:40:00.000-07:002008-07-01T07:40:00.000-07:00Unlike most of the people responding to this surve...Unlike most of the people responding to this survey I'm just a simple business owner and from what I have been reading within these posts indicates that in reality there is no security.<BR/><BR/>I am waiting for a friend of mine to finally complete his encryption development on some products that have proven to be unique and to date after 10 years of attempts un beatable. NSA has tried for years and cannot bet the encryption.<BR/><BR/>Its and interesting product and is described as keyless encryption. Most encryption gains if lucky 3% of capability and is looked at as a gold standard when it improves.<BR/><BR/>This product is well beyond what is available now.<BR/><BR/>I believe one day this type of discussion will not be taking place. We will all be say "remember when we used to".<BR/><BR/>The best to all who read this. Security is coming.<BR/><BR/>CraigAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-90853184876827289362007-11-02T22:13:00.000-07:002007-11-02T22:13:00.000-07:00Awesome survey, the answers seemed spot-on with my...Awesome survey, the answers seemed spot-on with my experience. I've noticed a correlation of martial arts in the InfoSec field as well. After all it doesn't matter how strong your encryption is if someone can beat your password out of you (the ol' rubber hose attack ;)<BR/><BR/>-TomAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-28393979426028492672007-11-01T08:22:00.000-07:002007-11-01T08:22:00.000-07:00@chris, thanks much. Yah, I was hoping for more an...@chris, thanks much. Yah, I was hoping for more and better stories there, but it was not to be. I think I might be able to improve the answers in future surveys with some more creative questioning. I'll have to think about it.<BR/><BR/>@kingthorin, thanks for brining that up. I'll do that next time.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-43044362029755837192007-11-01T07:07:00.000-07:002007-11-01T07:07:00.000-07:00Hey Jeremiah, can I make a small suggestion for th...Hey Jeremiah, can I make a small suggestion for the future?<BR/><BR/>Post the results as a new BLOG article. I would have missed them if I hadn't scrolled down the page to read some comments on some other articles that had on-going discussions.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-42503789868177636402007-10-31T20:39:00.000-07:002007-10-31T20:39:00.000-07:00Hey Jeremiah. I enjoyed this edition of the surve...Hey Jeremiah. I enjoyed this edition of the survey. Nice job.<BR/><BR/>Of particular interest was the "your most clever attack" question, as that used to be one of my favorite questions to ask when I was interviewing people for pen testing positions. A couple great answers from the survey (love the CICS injection attack), but I was a little disappointed by the ones that were just variations on XSS and SQL Injection, or simple authorization bypasses.<BR/><BR/>To those people citing NDAs as the reason for staying silent: describing the attack technique doesn't violate your NDA. Just don't disclose the customer name or the application or any other specific details of the target. Man up and let's hear those stories. :>Unknownhttps://www.blogger.com/profile/02914577732738408561noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-17109912169226139172007-10-31T12:08:00.000-07:002007-10-31T12:08:00.000-07:00Thanks for the feedback Marcin. Glad you liked it....Thanks for the feedback Marcin. Glad you liked it. Yah, every survey gets a little bit better as Im still learning how to put together the right type of questions and answers.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-21491848406098696332007-10-31T10:05:00.000-07:002007-10-31T10:05:00.000-07:00@Jim, 405 baby! ;PGreat work on the survey Jeremia...@Jim, 405 baby! ;P<BR/><BR/>Great work on the survey Jeremiah.. I didn't take the survey initially, but for the next survey, I think the following questions need more answer choices:<BR/><BR/>AJAX question is pretty much, "is it bad, or ugly??" no "good answer" there..<BR/><BR/>Regarding application 0day selling, you need the "no" choice next to "other".<BR/><BR/>Martial Arts question needs a "I don't do any physical activity besides breating and eating."<BR/><BR/>That is all.. Looking forward to the next survey :)Marcinhttps://www.blogger.com/profile/02403324596880195518noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-43491767423119845752007-10-30T14:44:00.000-07:002007-10-30T14:44:00.000-07:00Combat Sports is decent for InfoSec pro's but does...Combat Sports is decent for InfoSec pro's but doesn't always help with client relations! For the perfect balance of testosterone and InfoSec, I recommend a rigorous weight lifting program. I'm up to 280 lbs on my dead lift. Bring in ON gentlemen! :)Jim Manicohttps://www.blogger.com/profile/12382834501997208557noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-89085196282599024822007-10-26T06:41:00.000-07:002007-10-26T06:41:00.000-07:00"Training on fighting spots will not help on fight..."Training on fighting spots will not help on fighting against hackers..."<BR/><BR/>I don't think I agree with that 100%. Training in fighting sports (or with a punching/kicking bag) is great stress relief for ANY job.<BR/><BR/>At the same time I do think "The Art of War" is a good read.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-51461413157029106042007-10-25T14:35:00.000-07:002007-10-25T14:35:00.000-07:00Training on fighting spots will not help on fighti...Training on fighting spots will not help on fighting against hackers, instead learing "The War of Art" will. <BR/><BR/>See "Applying the Concept from The Art of War" at http://intnetjournal.com/eSecurity/eSecurity_Philosophy/esecurity_philosophy.htmlAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-25179162153634681572007-10-25T10:13:00.000-07:002007-10-25T10:13:00.000-07:00site requires JS?! im so glad JS is finally gettin...site requires JS?! im so glad JS is finally getting around...all these years we've never been able to take online surveys!!<BR/><BR/>;-PAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-89135918384962467142007-10-25T07:50:00.000-07:002007-10-25T07:50:00.000-07:00Hahah, I didn't even consider that. Its not my cod...Hahah, I didn't even consider that. Its not my code. :) But if you feel so inclined (paranoid), go right ahead and view source. Heh. :)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-37759912496213416072007-10-25T01:06:00.000-07:002007-10-25T01:06:00.000-07:00It's not a joke or contest that you need malware (...It's not a joke or contest that you need <A O\NMOUSEOVER="alert('boom')" HREF="#" REL="nofollow">malware</A> (aka JavaScript) enabled to complete the form? Is it?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-44676863231569477142007-10-24T18:27:00.000-07:002007-10-24T18:27:00.000-07:00Your application firewall doesn't like XSS jokes i...Your application firewall doesn't like XSS jokes in the survey :)<BR/><BR/><script>alert('lame!')</script>Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-53688700607276394932007-10-24T17:10:00.000-07:002007-10-24T17:10:00.000-07:00romain, maybe. :) Though in my experience there is...romain, maybe. :) Though in my experience there is a high percentage of infosec people doing combative type sports... I just wanted to know what they were :)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-17606544922931203632007-10-24T16:23:00.000-07:002007-10-24T16:23:00.000-07:00Good to see the surveys back!For the last question...Good to see the surveys back!<BR/>For the last question, do you plan to extract some correlation between working in security field and fighting sport? :PAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-28529387284524412932007-10-24T16:07:00.000-07:002007-10-24T16:07:00.000-07:00Cool!It's what I was waiting for ;-).Will look at ...Cool!<BR/><BR/>It's what I was waiting for ;-).<BR/><BR/>Will look at this Survey in a short time.Anonymousnoreply@blogger.com