Tuesday, October 30, 2007

Web application security

What not to do.

UPDATE: I meant to point out it's a good anecdote about people who know some cryptography (terminology), but miss the absolute basics of security.

1 comment:

Surreptitious Evil said...

I am still not entirely convinced of the (overall) utility of encrypting data at rest (taking a comprehensive view of 'data in transit' - eg laptops, backup tapes). Physical security should protect that and, anyway, the server is normally up with the encryption keys in cache.

But can you ever get a proper security requirements specification from a client?