Set<Integer> pageNumbers = new TreeSet<Integer>();

Got it now, many thanks and sorry for spamming thread.

Seems like a cool idea for sure. Love that you'll list your own site.

I take it your base strategy is just "build it and they'll come" (+mention it in some places etc)? What are you using to process money (stripe?) I guess your business model is just taking a cut?

Use the old "hypothsis, measure, learn" feedback loop agressively from the getgo

Yeah I love that idea, I've actually wondered a number of times why it doesn't exist already.

Giving up with this one, been a couple of hours and getting nowhere:

What would be the best way to implement a method that prints out the keys that were located inbetween a minimum and maximum range of pages?

ie. If I entered in a dialog that the min page was 3, and the max page was 15, I would want it to return back a list of Keys contained on those pages only.

I have tried some for each statements nested with an if statement but I can never get it to print out specific keys. It seems easier to do the other way around but I'm not allowed to do that.

foreach item in bookMap:
loop over min-max and check if that number is in the set, if it is append the corresponding string to results and break (unless you want to count words as well...problem description doesn't say that so result should be a set)

[alternatively you can loop over min-max and check if the current number is in the set for all sets of bookMap i.e. make the min-max the outer loop]

The reality is that *most* companies either don't care or don't have the resources to do anything about it.

I've read it more than once that security auditors generally pull up last year's audit and see that nothing was done in that audit. These are a mix of Big Co. (TM) with certified security consultants and small mom-and-pops.

Most companies can simply buy or copy / paste those silly Norton Security check-boxes despite having an insecure site. It comes down to customer trust and gaining customer trust is less expensive.

Many companies that do have security issues use a web-dev house that can't secure a site to save their asses. I was absolutely appalled by this when I was doing research for a website at the old company. Out of the 75 or so web companies I researched, all but 5 of them didn't create sites that failed the basic security check. Any script kiddy could write a scraper and find 10,000 sites in less than a day that all fail the basic "bad url" test. My conclusion is that if companies really wanted to have their sites audited like facebook, then they would take a bit more care in their initial sites, and if there was any money to be made, hell, anyone could do it quickly, but apparently the care and demand isn't really there, because there is more supply than anyone can care to ponder.

There is a mountain of evidence showing that companies simply don't care. It probably doesn't help that LinkedIn and Sony got hacked, as this give the impression that "if they can't beat the hackers, what can I do?" Regardless of the reality of those companies atrocious practices, it still gives the impression of hopelessness.

I want to give a further rant about how this attitude is pervasive to all corners of business, but I'll stop here.

I wonder how viable this business is:
1) Get a couple of automated security scanners (iirc the de fact standard costs like 299$/year or something)
2) Offer basic security audits...use said scanners...find stuff, suggest fixes
???
Profit

In a place like LA you can probably turn this into a 10k/year side business* without much hassle. Maybe find a good security consulting team to hand off (or develop those skills yourself eventually) to once you have completed the idiotic step.

*100$ for a quick scan or something silly = 100 scans/year

Why not just build the scraper to search for bad urls, then email all the companies with a simple message and a screen shot showing their sites are bad? You can partner with one app sec expert to start with and the build from there.

At my old company, I showed them how easy it was to expose the entire schema on their site, but they looked at me and said "so what?" then hired the same company to rebuild the site. Their attitude was "we're small, it won't happen to us" and I wouldn't doubt that attitude is pervasive.

what do you mean specifically by "bad URL"?

Thanks man think I got it.

I think it's against forum rules to explain these things, but I'll hint that I'm talking about step one of x. Unfortunately, my app sec knowledge basically ends there.

I just think that app-sec suffers from an education problem, and I don't think it is one of those things people care too much about until something bad happens to them, and the education basically begins and ends with a screaming headline about how Anonymous hacked some site, then read further and see it is a DDOS, and I'm just like..

IMHO, the right solution is to have web frameworks that force good security practices. Otherwise, getting security right is just too hard for most companies.

Huh?

That's the screwed up part. Many of these companies are.

Plenty of companies have say a ton of money to throw at security, there are just no current existing solutions that offer good testing and a reasonable price point. Enterprise companies have ridiculous amounts to secure their data, try to, and still fail in the existing model.

We're excited about the crowdsourcing model for a lot of reasons.

+1

I don't think it's against the rules of this forum to explain what a "bad url" means. + I am curious!

It would obv be against the rules to posts e.g. "omg I found a serious security problem with Amazon.com - post a request in the form amazon.com/?===4ll'';&pass=%$%%; and you can access a random account's credit card storage page - Enjoy!"

I agree. I think its a great idea and definitely worth a shot.

I think this is a really cool idea too but I'm not sure that I'd use it.

How do you guarantee confidentiality?
How do you keep bad guys out?
What happens if somebody causes damage?
How do you protect yourself from any liability?

I'd have a bunch of questions that I'd need really good answers to before I'd even consider it.

Well, okay... I was being cryptic about the "bad url" part, but, what I mention is about 55 seconds in: Basic SQL Injection Tutorial

There is a ton of videos on youtube about this stuff, but here is Kevin Mitnick discussing his strategies and here he talks about how many companies don't seem to give a 2 hoots:
Adaptive Pen Testing

A while back, I read this book: the CISSP Exam Guide which was quite discouraging. Her attitude towards programmers is derisive at best.

We call him little Bobby Tables

I know you're not the mouthpiece for your company, but I have a hard time wrapping my brain around this logic. There are tons of excellent penetration-testing firms out there. What does crowd-sourcing offer that they don't, and how do you allay the concerns txpstwx raised, which are seriously legitimate for a company?

This next may well be my own cynicism caused by seeing way too much darkness in the world, but when you see companies with "tons" of available money, they aren't sitting on that cash or spending it poorly for the reasons you'd intuit. I don't feel like getting into it, but in general, companies do more ass-slapping than a gay baseball team at the World Series.

So I'm really digging jade over dust. I like the structure, and it's a lot easier to do stuff like spit out some JSON into a script tag, and extend from base templates.

Another nice feature (added two weeks ago) is the ability to use absolute and relative paths inside the templates. IE - extends /shared/templates/base-template This will make organizing our templates soooo much easier.

One problem though is that you have to feed a basedir property in the options object to the jade.compile method, or it breaks. How exactly do you do this when using res.render?
IE this is all we're doing to generate our HTML, there is no compile explicitly called: res.render(path.join(__dirname, 'entertainment.jade'), res.locals.data);

So far I have found a way by overriding the jade.compile method. But I feel this is kind of hacky:
My coworker suggested adding this as a pull request to express. But I'd like to make sure there isn't a better way. Anyone have any thoughts or suggestions?

If you're talking about Express you can just set the basedir by doing:

It's been like this for like 2 years now and is well documented. I pointed you to the github express /examples folder a few months ago. He has a jade example there for doing basic every day things. I'm not sure how it ties into the new feature though.