RSA is still a big deal, to vendors, as I’m sure you know. All of that monkey business with compromised security tokens? Totally water under the bridge, right?
(Ask me why I don’t have tickets. But I’d get one if any hoopy froods were going)
Yes, but if you’ve got to harden it, there is bad PHP, and there is massively bad PHP. When you have the time/resources always port since PHP is insecure by design.
it is the scripting language of choice for clear case… so yep. luckily someone else in the team is a whiz at it.
I’m really happy that @enso decided to start a security related thread. Hell, I don’t even have to try to bend my comments into question format. I do think if we want to quibble about programming languages we should probably fork.
Ever notice how netops, secops, fraud, and compliance all seem to hate each other? Then QA comes trundling by and they all yell, eff you!!
Red team the fuck out of it, and not with internal people, unless you give them the leeway to operate independently, and are able to swallow your pride and integrate their findings.
Never been to RSA. I’ve been to Black Hat and DEFCON seven times in a row though.
I don’t deal with vendors. I deal with security bugs and running a bounty program, among other things. I don’t care what vendors are selling.
I was QA for about 14 years.
No matter the language, if you are writing it, QA is a bunch of griefers and whiners.
Funny, that was how we described developers.
Equally accurate. Except the (we) Devs are snooty on top of that.
Lucky you.
In all honesty, I don’t either. I was just pointing out why some might still care about RSA.
ETA: You opened up this whole security can of worms, so I’m hoping you aren’t going to fall back on the “not my problem”, not my area, sucks to be you crap too much.
As basically a jackass that gets roped into doing what everyone else doesn’t want to do, I love QA. And the casual indifference to the process makes me want to scream.
PayPal, but I still know a couple people from eBay (I think, they may have left)
(And Symantec, lovingly called sly-brand-trick, avg, and a few companies you’ve never heard of)
Sorry, it was my poor attempt at funny.
$param =~ s/[^a-zA-Z0-9]//g;
Was trying to make a joke about your previous comment. The eBay hack in the news comes about because “eBay performs simple verification, but only strips alpha-numeric characters from inside the script tags” (source). So yeah, totes secure
Yeah, it is honestly shit like that which makes jsfuck possible :D.
And that damn eBay bug… The internal security teams are furious. The fraud teams are more than annoyed. But it appears its like that scene in fight club where Edward nortons character discusses car recalls.
And while PayPal rightly deserves a lot of criticism, we were at least self aware enough to launch a bug bounty program without the consent of dev really (they just didn’t know what they were getting into :D) and got in front of problems like that.
Two friends of mine almost got fired because the BB program was too successful. (Then I stepped in and smoothed things out a tad :D)
ETA: You opened up this whole security can of worms, so I’m hoping you aren’t going to fall back on the “not my problem”, not my area, sucks to be you crap too much.
I’m not but my knowledge space is limited to Internet technologies, especially browsers. I have zero experience with security vendors, their devices, etc. so it literally isn’t part of my world. When I go to Black Hat, for example, and visit the vendors area, there is literally nothing relevant to my work there.
I was being a bit snarky there. I have opinions, and Scotch…