|
|
|
|
|
|
by pdkl95
3736 days ago
|
|
|
> Never blacklist. http://www.ranum.com/security/computer_security/editorials/d... "The Six Dumbest Ideas in Computer Security" #1) Default Permit
...
#2) Enumerating Badness
..,
The unfortunately common assumption that security is about preventing badness has done an incredible amount of damage to security. We see it in everywhere. A huge amount of so-called "security" products (such as antivirus) are a futile exercise in trying to enumerate all of the bad things in the world.The better approach is using proper recognizers built from explicit, formal grammars whenever possible. Meredith and Sergey's explained this problem very well in their talk[1] at 28c3. Define the grammar for valid inputs, use a parser generator to avoid bugs, and move on to the next problem instead of endlessly adding checks for bad input. [1] https://media.ccc.de/v/28c3-4763-en-the_science_of_insecurit... |
|
|