[documentation] security pages in handbook
Laura Scott
laura at pingv.com
Sun Oct 14 23:32:11 UTC 2007
On Oct 14, 2007, at 2:54 PM, Greg Knaddison - GVS wrote:
>
> I'd like to get into this section more. The current system is
> organized like this:
> # Writing secure code
> * Input, the root of all evil
> * Database access
> * File uploads, downloads and management
> * Handle text in a secure fashion
> * JavaScript
> * Session IDs
> * When to use db_rewrite_sql
>
> One other proposal has been to organize it more like this:
>
> # Writing secure code
> * Database Access
> * Avoiding SQL Injection
> * Avoiding Access Escalation
> * Presentation
> * Avoiding XSS
> * Forms
> * Avoiding CSRF
>
Personally I find the first to be more intuitive. Rather than
focusing on known things to react to, focusing on what you can do
security-wise in each area of development seems to make sense to me.
It also makes it easier to look up later. ("What was that thing again
about security and Session IDs?") It uses for structure what the
developer does.
imho.
Laura
More information about the documentation
mailing list