Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 19 Mar 2023 14:59:46 +0100
From: Solar Designer <solar@...nwall.com>
To: Georgi Guninski <gguninski@...il.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: First result on google promotes insecure coding (XSS)

On Sun, Mar 19, 2023 at 03:05:24PM +0200, Georgi Guninski wrote:
> Does the so called security "community" plan to reduce teaching
> insecure code?

Georgi, are you part of the community?  Do you have a plan you're going
to follow yourself or/and recommend to others?  If so, please share it.

It's easy to distance yourself from the community and criticize it, or
to claim there isn't a community like you seem to imply by the quotes.

It's more effort to be part of the community and actually do things.

Sometimes this involves figuring out the author's contact address (not
always straightforward or reasonably possible at all) and asking them to
make an edit.  Other times the content is on a forum where you can add a
comment, e.g. StackOverflow.

Have you contacted the site in question and suggested an edit to them?

There's no systematic effort like this that I'm aware of - maybe there
should be.  Maybe it should be funded.  Maybe it should focus on top
search engine hits for a curated list of relevant search queries.

Another approach is to write higher-quality tutorials that may become
the new top hits.  For example, I wasn't into PHP at all, but I wrote
and submitted "How to manage a PHP application's users and passwords" to
Stefan Esser's Month of PHP Security in 2010 and it's been up on the
Openwall website since.  While it's quite dated now, I think it helped
at the time and for a while.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.