[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] A Different CSOonline Article calling out the BS in the security industry

From: Pete Herzog <lists@xxxxxxxxxx>
Subject: Re: [WEB SECURITY] A Different CSOonline Article calling out the BS in the security industry
Date: Thu, 11 Jan 2007 22:18:52 +0100

Hi Dennis,

Wow! What an honor - Pete Herzog! I love your project.


Thanks!  That made my night!

While I will not sit here and defend those who would choose to lie, I
think that it is really cynical to say that all security issues are
the result of lies? On a macro level "truth" is quite subjective.

It's about the status quo. I really don't like it. Now it's not so much what the people want but about what they are really getting in their infrastructure. Why is it that an OS that is touted as unsafe for hostile environments is equipped with services designed for the internet (including enterprise firewalls) and nowhere is this issue made clear? Then we have web apps that are also certainly not designed for hostile environments which are certainly not just found on intranets. Where is the warning sign? Especially how America has a way about requiring warnings on toaster ovens (they can get hot ya know!) but here's a whole industry that seems to avoid requiring protection for the clueless (or deceived). I'm the last person who thinks this ACTUALLY should happen. I hate that we need so much protection for the uninformed/uneducated (especially laws because we have way too many laws already). This means that here's an industry that self-regulates to get away with its bad practices but people let it happen because it's status quo-- except of course the ones doing full disclosure. But this is really just another flea bite to a mongrel and we see that because it is now possible to employ proper marketing techniques to fool most of the people all of the time (thanks to healthy and steady population growth of many entrants to the on-line world who just accept the way it is). So here we all are bitching about the status quo and how it's getting harder for us to practice full disclosure when in reality full disclosure isn't a problem for many of the companies out there. And like those flees, many practicing full disclosure as a marketing tactic feed themselves from those bites.


I am certain that *many* web applications are not the result of
deliberate lies, Jeremiah and I worked many an account over seas where
the desire to correct the problem was more important than the finger
of blame and covering up the issue. In fact it was shockingly
different that here in the US where this is the "standard" business
practice, (also a very cynical view) they were happy to take full
resposibility, and were happy as a group that the security posture was
improved over all.

Many developers all over are not only happy to learn the flaws but to learn how to avoid them. It's tough enough to keep one's job on the ever-moving corporate landscape of buy-outs and cut-backs. So when someone helps you to do your job better and even to keep you out of potentially deeper water then you want to not only appreciate them but to learn all you can from them. No, the ones you tick off through full disclosure are often the marketing and executive suits and not the blue-collar coder.

But let me make clear that by full disclosure I don't mean to go to a website where you have no business to point out a flaw in their web app to the news. That's trespass and harassment and I think it should be punishable although I'd put the severity up there with pickpocketing. This also means that a website that you do have business, an app you legitimately use, meaning a government site or a commercial site where you are a client, then you should have the right to speak up if you find something wrong which affects you and your livelihood. You still don't have the right to try to break it though. I won't argue that there is elegance in informing the owner of the site first but I also won't disapprove of those who don't go that path if they feel they are being ignored.


Pete, how many businesses start the implementation of their idea with
a copy of OSSTMM (a very fine example of education in my opinion)? I
would wager that until this happens we still have way more ignorance
than malice at the root of most security issues.

Don't disassociate ignorance with malice. Ignorance can be a form of malice like neglect is a form of abuse.

As it stands, I have no idea how many or who uses the OSSTMM. I hear things from people but I have no tally of its application and which companies it shows up in. I do know that it's fairly unknown in America even among security professionals (especially when counting those new ones with their crisp new CISSP cert and a subscription to some security magazine).

Sincerely,
-pete.

---------------------------------------------------------------------------- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- [WEB SECURITY] A Different CSOonline Article calling out the BS in the security industry
  - From: robert
- Re: [WEB SECURITY] A Different CSOonline Article calling out the BS in the security industry
  - From: Gervase Markham
- Re: [WEB SECURITY] A Different CSOonline Article calling out the BS in the security industry
  - From: Dennis Groves
- Re: [WEB SECURITY] A Different CSOonline Article calling out the BS in the security industry
  - From: Pete Herzog
- Re: [WEB SECURITY] A Different CSOonline Article calling out the BS in the security industry
  - From: Dennis Groves

Prev by Date: Re: [WEB SECURITY] Disclosure for Web Applications
Next by Date: Re: [WEB SECURITY] Disclosure for Web Applications
Previous by thread: Re: [WEB SECURITY] A Different CSOonline Article calling out the BS in the security industry
Next by thread: [WEB SECURITY] iPhone
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site