It is way easier for attackers to reverse engineer desktop applications than web applications. Assuming proper server configuration, it is next to impossible for an attacker to get the server side source code or compressed form (e.g WARs) for a web application and proceed with disassembly/decompilation/patching. I do not have any experience with obfuscating or otherwise armoring executables created from scripting languages (such as win32's py2exe) but I would venture a guess that it would be tedious and less effective than armoring a C/C++ based executable.
To turn the argument the other way round, if we accept what you say as correct within the realm of web applications, the Ruby-On-Rails and Django guys (to name but two) are in a serious folly and are not able to provide secure frameworks owing to their choice of scripting languages. I, for one, do not that this is the case :-) sc-l-requ...@securecoding.org wrote: Message: 6 Date: Thu, 18 Mar 2010 15:11:29 -0400 From: ljknews <ljkn...@mac.com> To: sc-l@securecoding.org Subject: Re: [SC-L] market for training CISSPs how to code (Matt, Parsons) Message-ID: <p05200f40c7c82b12b...@[146.115.107.213]> Content-Type: text/plain; charset=us-ascii At 7:36 PM +0200 3/18/10, AK wrote: > > Who says so, in the context of web applications? > > I can see it (somewhat) from a "desktop" application > > perspective, but how is this relevant in web apps? > Why should standards for a "web" application be different than for a "desktop" application ? -- Larry Kilgallen _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
