This argument revolves around money - which is a point of view few programmers ever take into consideration. What is best for the owner?
Charlie is correct - the need for security varies. How does it vary? Based on a risk / reward ratio that has to be chosen by the business owner. Our job is to communicate to the business managers what the risks are and what the costs are. Do you want to spend xx dollars to mitigate this risk or would you prefer to take an approximately xx% chance that this bad thing will happen in order to save $xx upfront development costs. I tend to argue on the side of more security but the final decision rests with the business owner. They pay the bills either way. Usually, extra security is not very expensive but high security paradigms can be very expensive. Too many programmers think this is some kind of art. It isn't. It is just producing a defined product in return for some perceived value. Lest anyone think I'm poking a finger at Dean - no. I learn something new just about every post he makes. -----Original Message----- From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Charlie Arehart Sent: Wednesday, March 11, 2009 10:52 AM To: discussion@acfug.org Subject: RE: [ACFUG Discuss] over-stating security concerns? (was RE: ValidateAt parameter is effectively only client side ) Sure, but I've got to ask: is that a concession to my point? :-) (that not every app that uses CFINPUT validation would be harmed if some bastard removed it?) This isn't about me winning an argument, by the way. It's just that I can't tell if you're letting it go because you think I can't be convinced (or don't want to belabor the point), or because now that my point is clear, you see it's not so loopy after all. :-) If you'd say it's the former, fair enough, and don't feel compelled to make the point. I'm sure you've plenty busy, and others may feel that the two sides have been represented. This was just another of my counters to the assertion that some less-than-perfect features in CF need to be abandoned by all (CFFORM being among those often named). I just say, that's just not so for everyone. We just need to understand its limitations, and for that I do thank you and others for keeping us in mind of that. /charlie -----Original Message----- From: ad...@acfug.org [mailto:ad...@acfug.org] On Behalf Of Dean H. Saxe Sent: Wednesday, March 11, 2009 11:23 AM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] over-stating security concerns? (was RE: ValidateAt parameter is effectively only client side ) Of course there is no disrespect Charlie. I think we all need a big group hug. ;-) Dean H. Saxe, CISSP, CEH ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com ------------------------------------------------------------- No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.237 / Virus Database: 270.11.9/1993 - Release Date: 03/11/09 08:28:00 ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
