tag:blogger.com,1999:blog-13756280.post6383343321300478606..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Lets talk vulnerability discoveryJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-13756280.post-2440151059772081572007-06-12T09:32:00.000-07:002007-06-12T09:32:00.000-07:00Notes:Industry Regulations and StandardsWe need be...Notes:<BR/><BR/><I><B>Industry Regulations and Standards</B></I><BR/><BR/>We need better regulations/standards than PCI DSS and NIST. OWASP is working on a certification criteria:<BR/>http://www.owasp.org/index.php/Category:OWASP_Certification_Criteria_Project<BR/>which has been kicked off by this thread:<BR/>https://lists.owasp.org/pipermail/owasp-webcert/2007-June/thread.html<BR/>I suggest we start there.<BR/><BR/><I><B>Better Channel for Disclosure</B></I><BR/><BR/>What's wrong with RFC 2142? security@, abuse@, or cert@ should go to a responsible party in application security. Ultimately, the person responsible should be an Application Security Manager or Director who reports to a CISO.<BR/><BR/>Not all organizations can afford to fill these positions, but if your website supports SSL signed by a CA, then that means you probably have a hostmaster@, postmaster@, or webmaster@ - and that one of those were somebody who setup an SSL certificate and knows "something" about web security. If they can answer an automated email about their SSL certificate expiring, then I'm sure that they should also be able to be bothered by a vulnerability finding report.<BR/><BR/>My favorite channel of disclosure is to use Gabbly and report findings on the actual URL (as well as the top of the domain). If the administrators want to, they can simply pull their RSS feed from Gabbly and get their zero days every morning.<BR/><BR/><I><B>Dummy Pages</B></I><BR/><BR/>While I would like to see more test sites and testing grounds (see the list of tools I have built for OWASP here - http://owasp.org/index.php/Phoenix/Tools ), I think this will neither solve nor improve the disclosure situation.<BR/><BR/>However, I do have a suggestion. What if PCI DSS decided on a standard to use for a fake credit card number or set of PII? It could be sort of like RFC1918 - anyone could use this number (or set of numbers) in their database to not only be used as a HoneyToken, but also to allow vulnerability hunters to pull that record of information legally. While other attacks could still cause damage on their live site, it would at least allow simple McCarty-style SQL Injection checks sans "damage". Little things like this could allow certain attacks, until most attacks are legally allowed under certain circumstances except possibly barring HTTP resource starvation, SYN attacks, and similar complete denial-of-service.<BR/><BR/>Your other take-aways, such as the matrix of invasiveness doesn't sound especially useful or appealing. It sounds to me like you'll be giving a list of things to law enforcement and prosecutors to "go looking for" so that they can bust somebody. I would rather see a list of things that demonstrate to law enforcement what a "good citizen" would do when reporting a vulnerability. Positive thinking vs. negative thinking, got it?<BR/><BR/>I'm also really surprised that Jeff Williams isn't a part of the working group - that's too bad. Also - if Daniel Cuthbert has "chosen to leave the security industry" (page 8, top right) - why is he re-writing the OWASP T10-2007 to make it more business-friendly, and why is he in charge of the OWASP testing guide v3 project?drehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-22523602904161894172007-06-08T15:44:00.000-07:002007-06-08T15:44:00.000-07:00Yah! I thought I knew what crossing the line was, ...Yah! I thought I knew what crossing the line was, now I'm not so confident. Sure, ignorance of the law is no excuse, but cmon, we should still be able to learn what is legal and what is not. Apparently it all comes down to who complains and if law enforcement listens, which sucks big time.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-22024925322701400622007-06-08T15:35:00.000-07:002007-06-08T15:35:00.000-07:00unfortunately left with more concern than I origin...<I>unfortunately left with more concern than I originally started with</I><BR/><BR/>hahahahaha. that bad, huh?<BR/><BR/><I>this document should be mandatory reading for everyone in or about to become part of the infosec industry</I><BR/><BR/>get out while you can! we're all going to prison!!!Anonymousnoreply@blogger.com