Jeremiah's was inspired and wrote 5 spot-on web application security
questions (see below) which we all as a community should:a) comment &
b) research properly its implications, and
c) come up (for each question) with a set of 'this is the current situation'

I suspect that c) will be a very uncomfortable reading for a lot of people,
but that might actually make some things change (for the better I hope)

Dinis Cruz
Chief OWASP Evangelist

On 10/9/07, Jeremiah Grossman <[EMAIL PROTECTED]> wrote:
> Earlier this morning I posted several questions to my blog, which I
> should have simul-posted here for additional comments. Two people
> (Rich and Adrian) commented fairly quickly with some very interesting
> and insightful answers that I highly recommend people read.
> blogged:
> vulnerability.html
> Rich Mogull:
> vulnerabilities/
> -----
> In the industry we discuss at great length the legal risks and
> ethical responsibilities of the person disclosing an issue, but not
> enough about the same when it comes to the business itself. I've had
> a hard time getting authoritative answers to some seemingly simple
> questions, so I figured I'd give the blog a try. Lets assume a
> company is informed of a SQLi or XSS vulnerability in their website
> (I know, shocker) either privately or via public disclosure on
> And that vulnerability potentially places private
> personal information (PPI) or intellectual property at risk of
> compromise. My questions are:
> 1) Is the company "legally" obligated to fix the issue or can they
> just accept the risk? Think SOX, GLBA, HIPAA, PCI-DSS, etc.
> 2) What if repairs require a significant time/money investment? Is
> there a resolution grace period, does the company have to install
> compensating controls, or must they shutdown the website while
> repairs are made?
> 3) Should an incident occur exploiting the aforementioned
> vulnerability, does the company carry any additional legal liability?
> 4) If the company's website is PCI-DSS certified, is the website
> still be considered certified after the point of disclosure given
> what the web application security sections dictate?
> 5) Does the QSA or ASV who certified the website potentially risk any
> PCI Council disciplinary action for certifying a non-compliant
> website? What happens if this becomes a pattern?
> While I'm happy to hear anyone's personal opinions, answers backed by
> cited references are the best. Laws, case law, investigations, news
> stories, FAQ's, or whatever are what I'm looking for.
> Regards,
> Jeremiah Grossman
> Chief Technology Officer
> WhiteHat Security, Inc.
Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -
SC-L is hosted and moderated by KRvW Associates, LLC (
as a free, non-commercial service to the software security community.

Reply via email to