Hi Ahmed,
First of all, your are probably 'IT Audit Manager' and not 'IT Audit Manger' as
your email saids at the very end :-)
Second, your question ... Well, I posted myself a thread relating to your
trouble on this list a couple of days ago (BTW, the thread seems still open):
"ASP vs. ASP.NET". And the reply was was I was thinking:
- You can do secure apps. and crap apps. with asp and asp.net ...
- asp.net is easier to develop with than asp .... but harder to learn
:).
It's then so stupid to tell that using Perl/asp/asp.net/whatever language is
THE solution: every language can be THE solution, if people using it are good
enough to develop it in a good manner. But asp.net seems easier to secure than
asp, that's sound OK.
So the IT people you are talking do not seem very skilled to me, and maybe lazy
as well.
Maybe the best way to convince them is to make a compil of docs written by some
gurus telling what I said below ...
http://www.google.com/search?hl=fr&q=sql+injection+asp.net&lr= seems to me a
good starting point :=)
HTH !
-----Message d'origine-----
De : Mohamed Ali [mailto:rxmohamed@hotmail.com]
Envoyé : mardi 12 octobre 2004 09:23
À : webappsec@securityfocus.com
Objet : aspx applictions SQL Injection
Hi all,
I did a full pen-test on my client's web application and almost I can get all
data and data dictionary information I need through exploiting SQL injection
vulnerabilities they have in many dynamic pages.
The question is when I discussed these issues with IT people they recommend
not to solve any of them but just converting to .Net technology I'm not
familiar with Net tech. but this recommendation sounds weird to me IS THERE
ANY WAY TO PROVE THAT THEIR RECOMMENDATION IS NOT ENOUGH TO PREVERT UNAUTHRIZED
ACCESS THROUGH SQL INJECTION (their platform IIS ,SQL Server and Oracle )
Any suggestions would be appreciated.
Thanks
Ahmed Rashad
IT Audit Manger
Experts.ae
_________________________________________________________________
Don't just search. Find. Check out the new MSN Search!
http://search.msn.com/
