OWASP Top Ten is really the OWASP Top 6.5

Announcement of changes in company password po...
Image via Wikipedia


This is somewhat dated, but so what? Most of the points raised still hold valid.
It opens:

CIO/CSO: “I just went to a very important luncheon meeting. First, they bought me steak, then they showed me powerpoint about this new security list, then we got to watch STAR WARS! I want our websites to be OWASP Top Ten certified by then end of the week!”

… and it goes on with the sad-but-true

Consultant: “Hello, I just completed CISSP boot camp. I am here to run OWASP Top Ten security scanning software and install a web application firewall! Cookies?
Sorry, I’m diabetic.”

Wasn’t there a Dilbert strip about that?   “Invoking the awesome power of certification“?

Speaking of which:

Dilbert “Maybe we should first start with password protecting the website? Or fixing our expired SSL certificate?”

How true; how poignant! And we all know the response to that:

Consultant: “I’m sorry that is not on the list! hmm what to do? I will use the consultants Top Ten Scarry Word List!” Sarbanes-Oxley, HIPAA, PCI…”

Seriously, though: a while ago I read an article suggesting that how you title you posts or blogs was very important and used examples from magazines such as Cosmopolitan to illustrate that: “The top 10 ways …”, “10 things you should know” and such like were going to attract more readers.

Well heck, who wants to read an article titled:

“Six and a half ways to secure your web site”.

Maybe those into reverse psychology perhaps?
But please, do fix those expired SSL certificates.

Reblog this post [with Zemanta]

Business Logic Flaws

Toronto – OWASP

This month’s meeting was about layer 7 errors in web applications. Trey Ford was a fast spoken Texan and gave some good examples.

The common thread, as I saw it, was that no amount of pen testing, no amount of risk analysis would have uncovered these flaws. What they had in common was ‘failure mode’. Its another FMEA situation. The designers were optimists and never conceived of the abuse and trickery that might be perpetrated.

Let me give another Layer 7 example.

One of the lists I belong to forbids Out-of-the-Office messages. If anyone is so foolish as to have one set up to respond to list messages he gets ridiculed on the list. If his message leaves other contact information, we’ll contact those people and tell them of the mistake.

Other lists I’m on seem to suffer from what amounts to OotO broadcast storms. When I submit a post to them I get a flood of OotO messages that compares to my daily spam. Sending OotO response to a mailing list message is dumb in the first place, but its also a security issue. Some of these lists don’t have restricted membership, so someone could join with the express intention of harvesting addresses or other inside information.

Even worse, try googling for “out of the office“. Its amazing how easy social engineering can be.

Your company may mandate the use of OotO, but its most useful internally and should not be used in response to mailing lists. If you are going to use this mechanism make sure you have it set up properly.

Back in 2003, my German friend and fellow CISSP, Axel Eble, wrote a draft RFC about OotO best practices. Sadly it died without becoming an IETF baseline.

See also:
‘Out of office’ messages turned into spam relays

Reblog this post [with Zemanta]