Jeremiah's was inspired and wrote 5 spot-on web application security questions (see below) which we all as a community should:a) comment & discuss b) research properly its implications, and c) come up (for each question) with a set of 'this is the current situation' answers.
I suspect that c) will be a very uncomfortable reading for a lot of people, but that might actually make some things change (for the better I hope) Dinis Cruz Chief OWASP Evangelist http://www.owasp.org On 10/9/07, Jeremiah Grossman <[EMAIL PROTECTED]> wrote: > > Earlier this morning I posted several questions to my blog, which I > should have simul-posted here for additional comments. Two people > (Rich and Adrian) commented fairly quickly with some very interesting > and insightful answers that I highly recommend people read. > > blogged: > http://jeremiahgrossman.blogspot.com/2007/10/some-unanswered-website- > vulnerability.html > > Rich Mogull: > http://securosis.com/2007/10/09/some-answers-for-jeremiah-website- > vulnerabilities/ > > > ----- > In the industry we discuss at great length the legal risks and > ethical responsibilities of the person disclosing an issue, but not > enough about the same when it comes to the business itself. I've had > a hard time getting authoritative answers to some seemingly simple > questions, so I figured I'd give the blog a try. Lets assume a > company is informed of a SQLi or XSS vulnerability in their website > (I know, shocker) either privately or via public disclosure on > sla.ckers.org. And that vulnerability potentially places private > personal information (PPI) or intellectual property at risk of > compromise. My questions are: > > 1) Is the company "legally" obligated to fix the issue or can they > just accept the risk? Think SOX, GLBA, HIPAA, PCI-DSS, etc. > > 2) What if repairs require a significant time/money investment? Is > there a resolution grace period, does the company have to install > compensating controls, or must they shutdown the website while > repairs are made? > > 3) Should an incident occur exploiting the aforementioned > vulnerability, does the company carry any additional legal liability? > > 4) If the company's website is PCI-DSS certified, is the website > still be considered certified after the point of disclosure given > what the web application security sections dictate? > > 5) Does the QSA or ASV who certified the website potentially risk any > PCI Council disciplinary action for certifying a non-compliant > website? What happens if this becomes a pattern? > > While I'm happy to hear anyone's personal opinions, answers backed by > cited references are the best. Laws, case law, investigations, news > stories, FAQ's, or whatever are what I'm looking for. > > > > Regards, > > > Jeremiah Grossman > Chief Technology Officer > WhiteHat Security, Inc. > http://www.whitehatsec.com/
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________