RE: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack

["Martin O'Neal" <martin.oneal@xxxxxxxxxxxx>]

> Rafal's point of becoming "fix it" 
> people was calling out to 
> organizations on a budget...  

People who know what to do, but don't have the budget, have plenty of
free resource to go to.  Corsaire, like many others, contributes plenty
of time to initiatives like OWASP etc.  The information is good quality,
and easily accessible.

> many small sites believe they are 
> not a target because they don't 
> store credit card information...

People who don't even know "why", let alone "what" are an entirely
different thing.  And to be fair (and objective), I think you're
probably wasting your time.  It is the same scenario as patching in the
world of infrastructure.  The problem is well understood and documented.
The tools are easily available.  Many products even auto-update by
default, and yet there are huge swathes of machines connected to the
Internet that do not feel the love.  Why is this?  The detail will vary
between individual cases, but as a general observation it is because
some people patch, and some people don't.  :)

Now, you can spend lots of time trying to get some of these people to
understand, and yes, it is possible to get the occasional convert, but
on the whole you are probably wasting your time.  Most developers and
organisations don't start to become interested until after they fail
their first audit, or after they get publicly hacked.  After this
happens, then you can start your education program and can make a real
difference.

I'm not cynical, I'm experienced. LOL.

Martin...




----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA