[Owasp-codereview] [Owasp-ireland] OWASP Ireland - September 2009 Panel discussion

davidrook david.rook at realexpayments.com
Wed Jul 15 06:06:24 EDT 2009


Hi Mostafa,

I wouldn't agree with what you have said, taking the example you have 
given there I fail to see why teaching someone to validate their inputs 
and outputs wouldn't be good in this case. If you had been teaching them 
set of secure development principles for a year (which would include 
input and output validation/encoding) and they still wrote that code 
then there is a bigger problem than just the potential of XSS ;-)

I don't think that education detailing specific vulnerabilities should 
be dropped but I think it shouldn't be a starting point either. A 
developers security education should not start at the intricate details 
of attacks such as XSS and SQL Injection rather this is somewhere their 
education should evolve to. Sure training courses wouldn't be a as 
"glamorous" and people would need to probably charge less for them but 
that's not the point here!

Thanks,

Dave

Mostafa Siraj wrote:
> Hi David,
>
> I don't think your approach -whitelist learning- would perfectly fit 
> when it comes to application security
>
> I'll give you an example: I was teaching a security course to some 
> students and started telling them, accept a username from a user and 
> echo it back as "Welcome [username]", all the students without 
> exception wrote something like this (here I use C# example)
>
> welcomeMessageLabel.Text = "Welcome " + usernameTextBox.Text;
>
> the above statement is very natural, no one would ever thing that it's 
> vulnerable to XSS for example even if I was teaching them Input 
> Validation for 1 year, they will still consider the above statement 
> safe because it's really very natural 
>
> so they have to learn about the main security vulnerabilities 
> -blacklist approach- (OWASP Top 10, or SANS Top 25) to get a feel of 
> how security vulnerabilities occur beside of course the whitelist 
> approach (Input Validation, Secure Authentication,...etc)
>
> so I believe that both are very important and you can't skip anyone of 
> them
>
> Thanks
>
> Mostafa Siraj <http://AllAboutApplicationSecurity.blogspot.com>
> Application Security Expert
> ITWorx Egypt
> www.ITWorx.com <http://www.ITWorx.com>
>
> On Wed, Jul 15, 2009 at 12:10 PM, davidrook 
> <david.rook at realexpayments.com <mailto:david.rook at realexpayments.com>> 
> wrote:
>
>     For controversy dial C for Conor! :)
>
>     I have one as well: "The path to secure software does not start with
>     specific vulnerabilities".
>
>     I think anyone on the Irish mailing list will know I have been saying
>     since the release of the Sans Top 25 list earlier this year that I
>     don't
>     think lists of vulnerabilities is the optimal approach to developer
>     education and ultimately secure software. We as software security
>     professionals are guilty of telling to developers to prevent a list of
>     vulnerabilities instead of telling to develop securely, yes I do feel
>     there is a difference here. Think of it this way, when you are
>     learning
>     to drive does the instructor give you a list of ways to crash a
>     car and
>     hope you figure out how to avoid all of those different ways of
>     crashing
>     or does he teach you how to drive safely and within the rules of
>     the road?
>
>     Everyone without fail in the application security community is
>     guilty of
>     doing this yet we blame the developers when the applications are
>     insecure, are the security professionals not just as culpable for not
>     educating developers correctly? Whether it be the OWASP top ten,
>     PCI DSS
>     Requirement 6.5 or companies offering secure development training they
>     all focus on a small set of vulnerabilities instead of focusing on
>     a set
>     of secure development principles such as Input Validation, Error
>     Handling and Secure Communications.
>
>     Dave
>
>     Conor Mc Goveran wrote:
>     > HTML5 could have been a unifying standard which may have halted the
>     > continued fracturing of the web as a platform, alas with the failure
>     > of the browser vendors to unify behind this standard (dropping the
>     > video tag due to lack of agreement on the codec) this will be the
>     > biggest missed opportunity of the decade. ALL of the
>     developments that
>     > are good about the internet/web have come from a base of widely
>     > adopted and largely consistent implementation of the standards. The
>     > failure to bring the HTML standard into the shiny new world of
>     the web
>     > application is the start of the end for web applications.
>     Building web
>     > applications is hard because HTML/Javacript is definitely not a good
>     > foundation for an application platform. The reason it continues to
>     > increase in popularity is because HTML/Javascript while far from
>     > perfect is well implemented (despite Microsofts best efforts) and
>     > standardised even across OS/Browser combinations. Now we have AIR,
>     > Silverlight, Flash, Quicktime, Shockwave blah blah blah. All
>     > proprietary, all different, all crap.
>     > The web is dead. Dead? Yeah dead. US multinationals have screwed the
>     > pooch again. Can industry and in particular the US software
>     behemoths
>     > actually ever create an innovative diverse and standardised
>     eco-system
>     > for technology? Can they ever understand that actually starting to
>     > compete with each other on innovation rather than the red eyed craze
>     > of trying to dominate an industry through proprietary lockin will
>     > benefit everyone? Or is this the sole preserve of the academic
>     > community? I thought a quote from a Microsoft employee made to me in
>     > 2003 summed it all up when speaking about web services 'If only
>     > everyone had used DCOM, none of this would have been
>     neccessary.' Sigh!
>     >
>     > 2009/7/14 Eoin <eoin.keary at owasp.org
>     <mailto:eoin.keary at owasp.org> <mailto:eoin.keary at owasp.org
>     <mailto:eoin.keary at owasp.org>>>
>     >
>     >     Guys,
>     >
>     >
>     >
>     >     Any ideas of a *good* topic for a panel discussion which may
>     >     engage the initiated and non alike?
>     >
>     >
>     >
>     >     Something controversial? or bi partisan?  ("The world is
>     flat" or
>     >     "yes earth is in the middle of the universe") in order to
>     make for
>     >     an interesting discussion?
>     >
>     >
>     >
>     >     Whoever comes up with the best one I'll buy them as much
>     Guinness
>     >     as they can stomach (Tom Brennan not included).
>     >
>     >
>     >
>     >     -ek
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >     --
>     >     Eoin Keary CISSP CISA
>     >    
>     https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference
>     >
>     >     OWASP Code Review Guide Lead Author
>     >     OWASP Ireland Chapter Lead
>     >     OWASP Global Committee Member (Industry)
>     >
>     >     Quis custodiet ipsos custodes
>     >
>     >     https://twitter.com/EoinKeary
>     >
>     >     _______________________________________________
>     >     Owasp-ireland mailing list
>     >     Owasp-ireland at lists.owasp.org
>     <mailto:Owasp-ireland at lists.owasp.org>
>     <mailto:Owasp-ireland at lists.owasp.org
>     <mailto:Owasp-ireland at lists.owasp.org>>
>     >     https://lists.owasp.org/mailman/listinfo/owasp-ireland
>     >
>     >
>     >
>     >
>     > --
>     > Conor Mc Goveran,
>     > Managing Director,
>     > Onformonics Ltd.
>     >
>     > Onformonics Ltd, Mount Carmel Hse, Firhouse Rd, Dublin 24, Ireland.
>     > Company Reg: 45503
>     > VAT: 9682767B
>     >
>     > Ph:        +353-14407576
>     > Mobile:  +353-872038598
>     >
>     ------------------------------------------------------------------------
>     >
>     > _______________________________________________
>     > Owasp-ireland mailing list
>     > Owasp-ireland at lists.owasp.org <mailto:Owasp-ireland at lists.owasp.org>
>     > https://lists.owasp.org/mailman/listinfo/owasp-ireland
>     >
>
>     --
>     David Rook | david.rook at realexpayments.com
>     <mailto:david.rook at realexpayments.com>
>     Security Analyst
>
>     Realex Payments
>     Enabling thousands of businesses to sell online.
>
>     Visit our new website: www.onlinepayments.ie
>     <http://www.onlinepayments.ie>
>
>     Follow us on Twitter! www.twitter.com/realexpayments
>     <http://www.twitter.com/realexpayments>
>
>     Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
>     |t: +353 1 2808559 | f: +353 1 2808538  | www.realexpayments.com
>     <http://www.realexpayments.com>
>
>     1 Lyric Square, London W6 0NB
>     t: +44 203 1785370 | f: +44 207 6917264  |
>     www.realexpayments.co.uk <http://www.realexpayments.co.uk>
>
>     27 avenue de l'Opéra, 75001 Paris.
>     t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51
>
>     Visit our other Realex Payments websites:
>     www.airlinepayments.com <http://www.airlinepayments.com>
>     www.sepa.ie <http://www.sepa.ie>
>
>     Pay and Shop Limited, trading as Realex Payments has its
>     registered office at Castlecourt, Monkstown Farm, Monkstown, Co.
>     Dublin, Ireland and is registered in Ireland, company number 324929.
>
>     This mail and any documents attached are classified as
>     confidential and are intended for use by the addressee(s) only
>     unless otherwise indicated. If you are not an intended recipient
>     of this email, you must not use, disclose, copy, distribute or
>     retain this message or any part of it. If you have received this
>     email in error, please notify us immediately and delete all copies
>     of this email from your computer system(s).
>
>
>     _______________________________________________
>     Owasp-codereview mailing list
>     Owasp-codereview at lists.owasp.org
>     <mailto:Owasp-codereview at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-codereview
>
>
>
>
> -- 
> "Our deepest fear is not that we are inadequate. Our deepest fear is 
> that we are powerful beyond measure. It is our light, not our 
> darkness, that most frightens us. We ask ourselves, who am I to be 
> brilliant, gorgeous, talented, and fabulous?Actually, who are you not 
> to be? You are a child of God. Your playing small doesn't serve the 
> world. There's nothing enlightened about shrinking so that other 
> people won't feel insecure around you. We are all meant to shine, as 
> children do. We are born to make manifest the glory of God that is 
> within us. It's not just in some of us, it's in everyone. And as we 
> let our own light shine, we unconsciously give other people permission 
> to do the same. As we are liberated from our own fear, our presence 
> automatically liberates others." --Nelson Mandela--

-- 
David Rook | david.rook at realexpayments.com
Security Analyst

Realex Payments
Enabling thousands of businesses to sell online.

Visit our new website: www.onlinepayments.ie 

Follow us on Twitter! www.twitter.com/realexpayments

Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
|t: +353 1 2808559 | f: +353 1 2808538  | www.realexpayments.com 

1 Lyric Square, London W6 0NB
t: +44 203 1785370 | f: +44 207 6917264  | www.realexpayments.co.uk 

27 avenue de l'Opéra, 75001 Paris. 
t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51

Visit our other Realex Payments websites: 
www.airlinepayments.com 
www.sepa.ie 

Pay and Shop Limited, trading as Realex Payments has its registered office at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin, Ireland and is registered in Ireland, company number 324929. 

This mail and any documents attached are classified as confidential and are intended for use by the addressee(s) only unless otherwise indicated. If you are not an intended recipient of this email, you must not use, disclose, copy, distribute or retain this message or any part of it. If you have received this email in error, please notify us immediately and delete all copies of this email from your computer system(s).




More information about the Owasp-codereview mailing list