[Owasp-board] FW: [Owasp-leaders] Summit Regonline

Matt Tesauro matt.tesauro at owasp.org
Wed Jan 12 19:46:07 UTC 2011


>From my perspective, the fact that they acknowledge the problem and are
very proactively fixing it shows that they care about security.

I don't expect every piece of existing software to be perfect - nor
should anyone else.

The real *key* here is how they handle the situation and I say they are
doing fine so far.

If we are going to do more then preach to the choir, we need to make
sure we don't become zealots.

The had a flaw, they acknowledged it, they are fixing it.  End of story.

</2 cents>

[1] I had a reported SQL injection take 16 months to get a fix to production

(Sorry for double-sending this to Seba, Dinis and Kate - my first
response was accidentally from my Gmail account)

--
-- Matt Tesauro
OWASP Board Member
OWASP WTE Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site

On 01/12/2011 01:32 PM, Kate Hartmann wrote:
> I spoke with our account rep at reg online today.  She said the sql
> problem fix will be implemented tonight.
> 
>  
> 
> I explained that we have some other issues and have requested that we
> have a contact on the Development team assigned to us so we can address
> these serious issues quickly.
> 
>  
> 
> They WANT to know about any issues we’re finding.  What can I do, in
> your opinion, to restore community trust in this program.
> 
>  
> 
> Kate Hartmann
> 
> Operations Director
> 
> 301-275-9403
> 
> www.owasp.org <http://www.owasp.org/>
> 
> Skype:  Kate.hartmann1
> 
>  
> 
> *From:*owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *James McGovern
> *Sent:* Wednesday, January 12, 2011 2:07 PM
> *To:* owasp-leaders at lists.owasp.org
> *Subject:* Re: [Owasp-leaders] Summit Regonline
> 
>  
> 
> Couldn’t resist chiming in.
> 
>  
> 
> 1.       The risk to the consumer is $0 as credit card companies will
> reimburse. With that being said, there is an unstated cost to
> aggravating consumers when this happens. Need a metric around this.
> 
> 2.       If regonline suffers from SQLI vulnerability, maybe the issue
> isn’t in OWASP negotiation but in the fact that PCI-DSS needs to have a
> way for when this is uncovered that their QSA could learn of it? With
> that being said, when we negotiated with them, did we use our own
> contract annex?
> 
> 3.       The biggest risk here is one of brand risk. Imagine if it got
> out that OWASP uses a site for credit card collection that doesn’t even
> comply to the top ten…
> 
>  
> 
> *James McGovern
> *http://twitter.com/mcgoverntheory
> 
> Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list and 2010 FinTech 100 among others.
> 
>  
> 
> ---------------------------------------------------------------------------------------------
> 
>  
> 
> This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.
> 
>  
> 
> ---------------------------------------------------------------------------------------------
> 
>  
> 
> 
> 
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-- 
-- Matt Tesauro
OWASP Board Member
OWASP WTE Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site



More information about the Owasp-board mailing list