RE: [WEB SECURITY] cross site trace

["Tom Brennan" <tomb@xxxxxxxxxxxxxxxxx>]

of course it does as with any production change. Would you not agree that a
WAF "can be" a compensating/mitigating control for a single identified
bug/threat vector that was identified by internal or external humans? Some
can be

IF carbon fiber based bureaucratic processes and variables take to long to
get a code fix... a rule entry may not require the same amount of change
control within the org., as it directly effects a single positively
identified vuln. That has existing pre-reqs.., if no pre reqs., then vuln
has probability but no possibility. (I have explained it as a turn off a
port for the network folks they get it. The control is either on or off for
that issue - hence the issue is either vulnerable or its not of course with
the control doing its job not in fail open mode) 

getting back to I think the key point in the thread was the issue of the
risk rating (using page 13 in question as ref., material
https://www.pcisecuritystandards.org/pdfs/pci_dss_technical_and_operational_
requirements_for_approved_scanning_vendors_ASVs_v1-1.pdf )   - if we can
agree that PCI for level 1-4 type merchants is a better collection of
standards then NOTHING to hold the merchant potential accountable for the
protection of YOUR pii data than good. Only level 1 and 2 need to file
reports...(I also have compared this to the ten commandments, or decalogue)
does not eliminate the sin but helps for those that need something to read
to measure if they are sinners...<no comment>.  The risk levels (Lv1 - Lv5)
is nothing more than a guideline that allows everyone to classify based on a
"does it fit in this bucket or this bucket and hold a conversation about the
same thing. It (vuln) still needs to be mapped internally to the business
risks as they are more important then PCI ~ however PCI has the ability to
step away from liability and even pull the merchants ability to process and
obtain that thing called funds so it has some weight.

finally, justification of my just use a WAF comment or any other tool (and I
got a bunch of off list emails as well so I think its important to state my
personal "blanket position"

"if allowing a control to be put in place lowers the annual loss expectancy
and likelihood of <insert bad thing> from actually happening from identified
threat/vulnerability at a justifiable cost (potential business impact/loss
vs. control cost) this allows the organization to take risks and proceed
with stitches (better than a Band-Aid) using tactical controls.  Of course
it also requires a holistic look at all controls based on the changing
threatscape and tolerance of the organization" using the pirate/ninja attack
and how much to I have to defend the castle perspective."

finally, I think we are off topic now on "cross site trace"

</end>
-----Original Message-----
From: Martin O'Neal [mailto:martin.oneal@xxxxxxxxxxxx] 
Sent: Wednesday, July 23, 2008 3:21 AM
To: Tom Brennan; Brian Shura
Cc: websecurity@xxxxxxxxxxxxx
Subject: RE: [WEB SECURITY] cross site trace


> that is one of the perfect reasons for a waf with custom rules ~  
> "identify vuln, mitigate, add to dev list" while it's rating is being 
> discussed of course.. Until then its fixed <grin>

LOL; doesn't a change on the WAF count as a change then?  

Martin...


----------------------------------------------------------------------
CONFIDENTIALITY:  This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking any
action in reliance upon this information by persons or entities other than
the intended recipient(s) is prohibited.  If you have received this e-mail
in error please notify the sender immediately and destroy the material
whether stored on a computer or otherwise.
----------------------------------------------------------------------
DISCLAIMER:  Any views or opinions presented within this e-mail are solely
those of the author and do not necessarily represent those of Corsaire
Limited, unless otherwise specifically stated.
----------------------------------------------------------------------
Corsaire Limited, head office: Unit 2 Grosvenor Court, Hipley Street, Old
Woking, Surrey GU22 9LL. Telephone: +44 (0)1483-746700.
Registered in England No. 3338312. Registered office: Portland House, Park
Street, Bagshot, Surrey GU19 5PG.


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA