Additional thought on XSRF

One great thing about XSRF is that it proves that tools won't eliminate the need for smart, security-savvy engineers. XSRF is completely legitimate requests, coming from completely legitimate users. Right now, no automated code analysis or automated black-box testing tools are going to flag those types of vulnerabilities. The industry still needs security-focused engineers to make sure that these user conveniences are properly mitigated so that they're not also attacker conveniences.

I have a feeling the AJAX talk later today at SPICON will probably say just about the same thing. Better engineering results in better apps.