comments:<inline> On 4/24/07, Jeremy Epstein <[EMAIL PROTECTED]> wrote:
I've just caught up with 6 weeks of backlogged messages in this group,
better than me, I fell off all the lists when I moved last year. Pardon list duplicity: (1) SOX is a waste, as several people said, because it's just a way to
give auditors more ways to demand irrelevant things on checklists - but not to pay attention to actual security. I've had customers demand that
[...] usual "non-contextual nonsense audit security" requirements removed So yeah, this happens all the time. I used to work with several software companies that store the key with the encrypted message, same host, same DB, all because of the requirement to "encrypt sensitive data". e.g.-like firewall log management products and such. zero value. check. (2) PCI, by contrast, is dramatically better, because it's got actual
things you can measure, and some of them have some relevance to software security. However, it's having an effect that I think was unintended by the folks who wrote it (or at least the ones I met at a recent conference) - merchants are pushing the requirements down to all of their suppliers, regardless of whether they're applicable.
[...] To look the proverbial gift horse in the mouth, there's another pattern I've seen from several PCI assessors: they are requiring some form of software security "testing". There seems to be a lot of general confusion about what webappsec in PCI is today and/or means. (It means nothing that I know of, outside some random training/awareness req). The problem is there is absolutely no definition on what this means. WHS for example has two bitbuckets for simiilar attacks: XSS and Content Spoofing. Watchfire added a third, "Phishing", which is an overlap of the two above (their developer didn't want to admit to me his XSS checks were lame, so made up /random title). Then you have HTTP Response Splitting, which I think has next to zero attack surface. We stick close to PCI vuln defs so tend to ignore it, but for some vendors that is a HIGH severity issue. (!?) So (a) what is being measured is equivocal, and (b) what is being held up as priority to be fixed is pretty borked at the moment too. The really important stuff, like Authentication and Authorization issues, seem entirely ignored in favor of bit-fiddling like XSS since basic XSS is generally easier to test for w/out context (e.g.-scanner jocky -->Click/scan).
(3) Vendors do what their customers ask for. If my customers ask for better security, we'll put our engineering resources into improving security - just as Microsoft has done.
[...] Cynically speaking: has it paid off for MS? Vista? Is security driving resounding success there? Do we need more time to tell? SQL Server 2005 is nice, but I don't know anyone adopting it because of "security". OTOH: there are folks waving the security banner and getting a positive response from it from their clients and prospects, I believe monetary. They come in a couple of flavors: 1. Touting Security whilst doing something about it: - http://www.discoveryproductions.com/ (apology to all the folks I know I'm leaving out, not sure who all I am allowed re: NDAs to mention) 2. Touting security, making completely false claims, without actually implementing or measuring it (there is no price to pay for doing this today, I mean, hey: what is "software security" anyway?): [url removed] (gives you a nice "uber-secure" message when you log in, unfortunately thanks to their litigious nature vulns are neither disclosed nor fixed) [url removed] (similar story, website used to have a picture of a "safe" on product page, at least they took that down, but left all the client-side config parameters in the app) I chickened out and remove both URLs before sending. Nobody probably cares about the specific companies, except those companies, who have gotten testy with me before. 3. People using security verification as a weapon; this is at least the fifth time I have seen this in my career (direct observation, not all the implied vuln research battles): http://forums.aspdotnetstorefront.com/showthread.php?t=6257 I'm going to fire up a blog on all the fun stuff, forensic and like I saw at FishNet, and now that I have visibility into 500+ web-sites, should be some useful measurement stats to provide for folks. I don't think anyone else out there has as many production sites to evaluate at one time, so ideas on what to mine for data welcome. If someone wants a measurement bar (e.g.-we are X,Y compared to like software in our industry for security) this is probably something to discuss how to provide too. At least, I see some *hows* that are all crippled by the sensitivity of the information (at least, the perceived ability to correlate to clients). But worth exploring I think for you ISVs... Thanks, cheers, -- Arian Evans solipsistic software security sophist "I spend most of my money on motorcycles, martinis, and mistresses. The rest of it I squander."
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
