comments:<inline><br><br><div><span class="gmail_quote">On 4/24/07, <b class="gmail_sendername">Jeremy Epstein</b> <<a href="mailto:jepstein@webmethods.com">jepstein@webmethods.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I've just caught up with 6 weeks of backlogged messages in this group,</blockquote><div><br>better than me, I fell off all the lists when I moved last year. Pardon list duplicity:<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
(1) SOX is a waste, as several people said, because it's just a way to<br>give auditors more ways to demand irrelevant things on checklists - but<br>not to pay attention to actual security. I've had customers demand that
</blockquote><div><br>[...] usual "non-contextual nonsense audit security" requirements removed<br><br>So yeah, this happens all the time. I used to work with several software companies<br>that store the key with the encrypted message, same host, same DB, all because
<br>of the requirement to "encrypt sensitive data". e.g.-like firewall log management<br>products and such. zero value. check.<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
(2) PCI, by contrast, is dramatically better, because it's got actual<br>things you can measure, and some of them have some relevance to software<br>security. However, it's having an effect that I think was unintended by
<br>the folks who wrote it (or at least the ones I met at a recent<br>conference) - merchants are pushing the requirements down to all of<br>their suppliers, regardless of whether they're applicable.</blockquote><div>
<br>[...]<br><br>To look the proverbial gift horse in the mouth, there's another pattern<br>I've seen from several PCI assessors: they are requiring some form of<br>software security "testing". There seems to be a lot of general confusion
<br>about what webappsec in PCI is today and/or means. (It means nothing<br>that I know of, outside some random training/awareness req).<br><br>The problem is there is absolutely no definition on what this means. WHS<br>for example has two bitbuckets for simiilar attacks: XSS and Content Spoofing.
<br>Watchfire added a third, "Phishing", which is an overlap of the two above<br>(their developer didn't want to admit to me his XSS checks were lame,<br>so made up /random title). Then you have HTTP Response Splitting, which
<br>I think has next to zero attack surface. We stick close to PCI vuln defs<br>so tend to ignore it, but for some vendors that is a HIGH severity issue. (!?)<br><br>So (a) what is being measured is equivocal, and (b) what is being held
<br>up as priority to be fixed is pretty borked at the moment too.<br><br>The really important stuff, like Authentication and Authorization issues,<br>seem entirely ignored in favor of bit-fiddling like XSS since basic XSS
<br>is generally easier to test for w/out context (e.g.-scanner jocky -->Click/scan).<br><br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>(3) Vendors do what their customers ask for. If my customers ask for<br>better security, we'll put our engineering resources into improving<br>security - just as Microsoft has done. <br></blockquote></div>[...]<br>
<br>Cynically speaking: has it paid off for MS? Vista? Is security driving<br>resounding success there? Do we need more time to tell? SQL Server<br>2005 is nice, but I don't know anyone adopting it because of "security".
<br><br>OTOH: there are folks waving the security banner and getting<br>a positive response from it from their clients and prospects, I believe<br>monetary. They come in a couple of flavors:<br><br>1. Touting Security whilst doing something about it:
<br><br>- <a href="http://www.discoveryproductions.com/">http://www.discoveryproductions.com/</a><br><br>(apology to all the folks I know I'm leaving out, not sure who all<br>I am allowed re: NDAs to mention)<br><br>2. Touting security, making completely false claims, without actually
<br>implementing or measuring it (there is no price to pay for doing this today,<br>I mean, hey: what is "software security" anyway?):<br><br>[url removed]<br>(gives you a nice "uber-secure" message when you log in,
<br>unfortunately thanks to their litigious nature vulns are neither<br>disclosed nor fixed)<br><br>[url removed]<br>(similar story, website used to have a picture of a "safe" on product<br>page, at least they took that down, but left all the client-side config
<br>parameters in the app)<br><br>I chickened out and remove both URLs before sending. Nobody probably<br>cares about the specific companies, except those companies, who<br>have gotten testy with me before. <br><br>3. People using security verification as a weapon; this is at least
<br>the fifth time I have seen this in my career (direct observation, not<br>all the implied vuln research battles):<br><br><a href="http://forums.aspdotnetstorefront.com/showthread.php?t=6257">http://forums.aspdotnetstorefront.com/showthread.php?t=6257
</a><br><br>I'm going to fire up a blog on all the fun stuff, forensic and like I saw<br>at FishNet, and now that I have visibility into 500+ web-sites, should<br>be some useful measurement stats to provide for folks. I don't think
<br>anyone else out there has as many production sites to evaluate at<br>one time, so ideas on what to mine for data welcome.<br><br>If someone wants a measurement bar (e.g.-we are X,Y compared<br>to like software in our industry for security) this is probably something
<br>to discuss how to provide too. At least, I see some *hows* that are<br>all crippled by the sensitivity of the information (at least, the perceived<br>ability to correlate to clients). But worth exploring I think for you ISVs...
<br><br>Thanks, cheers,<br><br><br>-- <br>Arian Evans<br>solipsistic software security sophist<br><br>"I spend most of my money on motorcycles, martinis, and mistresses. The rest of it I squander."