[Owasp-board] Fwd: [phpsec] confidentialString function uses hard-coded key (#108)

johanna curiel curiel johanna.curiel at owasp.org
Wed Nov 25 16:05:39 UTC 2015


Sorry for the spamming, just want to make you aware of the comments...
James Titcumb is a quite authority expert in PHP ;-P

http://www.jamestitcumb.com

---------- Forwarded message ----------
From: James Titcumb <notifications at github.com>
Date: Fri, Nov 20, 2015 at 10:39 AM
Subject: Re: [phpsec] confidentialString function uses hard-coded key (#108)
To: OWASP/phpsec <phpsec at noreply.github.com>
Cc: owaspjocur <johanna.curiel at owasp.org>


Actually, I hold the opinion that if anyone should have the highest of
standards, it should be OWASP, as they are making recommendations on
security. If this is the perspective of the whole OWASP organisation, then
I'm afraid I'm going to have to stop recommending people look up OWASP.

I may have missed the point (please, someone point out something I
missed?), but leaving a private encryption key publicly accessible on the
web, no matter what the intended use case, is not advocating secure coding.

This sort of attitude "if we used the highest standards, we'd have no
problems" is surely what OWASP *should* be advocating (i.e. be as secure as
possible), but the responses on here have led me to believe that is not
what OWASP wants...

As I said, maybe I've got the wrong end of the stick, but to me, this looks
really bad.

—
Reply to this email directly or view it on GitHub
<https://github.com/OWASP/phpsec/issues/108#issuecomment-158418384>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151125/09d20feb/attachment.html>


More information about the Owasp-board mailing list