[Owasp-leaders] Summit Regonline

dinis cruz dinis.cruz at owasp.org
Wed Jan 12 10:50:08 EST 2011


this is one of the topics I would like to cover on this working session  How
to report known security vulnerabilities (for
websites)<http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session093>
since
for example in the UK one could be prosecuted by the CPS under the CMA
(Computer Misuse act)

Dinis Cruz


On 12 January 2011 15:44, Jim Manico <jim.manico at owasp.org> wrote:

> >  (And the sooner the better, because the first OWASPer to use it might
> be the first to "test" it informally.)
>
>
>
> Now as an OWASP’er, we would never test the security posture of a web
> application (formally or informally) without written permission first,
> correct?
>
>
>
> - Jim
>
>
>
> *From:* owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Matthew Chalmers
> *Sent:* Wednesday, January 12, 2011 9:12 PM
>
> *To:* owasp-leaders at lists.owasp.org
> *Subject:* Re: [Owasp-leaders] Summit Regonline
>
>
>
> My concern is not them requiring CVV2, or doing billing address/phone
> verification, or anything else, because I know that my personal liability
> for fraud on my card is $0. Other people may not be in the same boat. The
> vendor doing these things doesn't make OWASPers' information more secure, it
> just helps keep them protected from fraud liability and hassle.
>
>
>
> My concern IS that as a security organization we're contracting third
> parties without checking their security. It's embarrassing that this vendor
> has an SQLI vulnerability, even if it could be demonstrated that the full
> extent of it is simply disclosure of quasi-public information (not the
> ability to change data, insert data, or reveal private info such as a credit
> card number). Even without the SQLI, the links in the confirmation email
> should probably not work for anyone but the person who got it.
>
>
>
> I understand that in this case (and perhaps other cases) it may have been
> (or will be) necessary to get the solution running quickly, but OWASP should
> consider adopting a "policy" of not giving any vendor confidential data or
> money, or sign a contract for their services, until we have either
> tested/audited them and/or included a provision in the agreement that we can
> do so whenever we like. (And the sooner the better, because the first
> OWASPer to use it might be the first to "test" it informally.)
>
>
>
> Matt
>
>
>
> On Wed, Jan 12, 2011 at 8:49 AM, Kate Hartmann <kate.hartmann at owasp.org>
> wrote:
>
> Group, the CVV is now required for all Credit card purchases through Reg
> Online.
>
> As you know, we have been using a different system for memberships and
> registrations until this point, and that system did not require the
> security
> code, so I mirrored the settings we had been using for the past 4 years
> when
> setting up the new system.
>
> Please, if you have concerns, please don't assume it's a security flaw.
>  Ask
> first.  As in this case, it could be an issue of a back door setting.
>
> Development is working on the other issue reported last week.  Resolution
> will be swift.
>
> Kate Hartmann
> Operations Director
> 301-275-9403
> www.owasp.org
> Skype:  Kate.hartmann1
>
>
> -----Original Message-----
> From: owasp-leaders-bounces at lists.owasp.org
>
> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Matt Tesauro
> Sent: Wednesday, January 12, 2011 9:36 AM
> To: owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] Summit Regonline
>
> For what its worth...
>
> When I did an organizational membership through RegOnline last week, I used
> a Amex and was asked for the CVV.
>
> I don't know what CC you used or your total, but I can tell you that for
> Organizational Supporters ($5,000 USD), they required CVV for Amex (and
> apparently all cards as it was part of the html form).
>
> Give Kate some time to work with RegOnline and lets see what happens on
> this
> and other issues.  My understanding from talking with Kate multiple times
> is
> that they have been open and eager when working with us in the past.  Lets
> get a response from them before we take them to task.
>
> Also remember that getting the Summit setup is taking 99% of much of
> OWASP's
> volunteer and employees time and that won't change until after its done.
>
> Cheers!
>
> --
> -- Matt Tesauro
> OWASP Board Member
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
>
> On 01/12/2011 02:04 AM, Ofer Maor wrote:
> > I think that at the "moment" of buying you are right - sure, if I
> > don't give my CVV, it won't be compromised.
> >
> >
> >
> > The cold and rough feeling I get is from the concept. A site that does
> > not require a CVV is a site that makes it easier to use stolen cards
> > (the likelihood of stealing card information without CVV is higher,
> > due to the better security placed on CVVs).
> >
> >
> >
> > Hence, I always flinch when sites don't ask for CVV, especially when
> > those are sites that allow for purchases of hundreds or thousands of
> > dollars.
> >
> >
> >
> > (Btw - in the US, u have another security mechanism which is not
> > enabled worldwide - which is billing address confirmation. This is
> > especially useful when purchasing online goods to be shipped to you,
> > as in such case the potential abuse of cards is very low. However, for
> > non US issued cards, this is not verified as in the US, and, even if
> > so, this was purchased for something that is not shipped, so the value is
> low).
> >
> >
> >
> > Just my .02
> >
> >
> >
> > Ofer.
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > *From:*owasp-leaders-bounces at lists.owasp.org
> > [mailto:owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Jason Li
> > *Sent:* Wednesday, January 12, 2011 6:59
> > *To:* owasp-leaders at lists.owasp.org
> > *Subject:* Re: [Owasp-leaders] Summit Regonline
> >
> >
> >
> > Agreed - but it's the *existence* of the CVV2 in general that provides
> > the warm and fuzzy.
> >
> >
> >
> > The fact that a merchant does not ask for the CVV2 doesn't make a
> > difference from the cloning perspective, right?
> >
> >
> >
> > In fact, I think you could argue that if a merchant does *not* ask for
> > CVV2, a user is in fact better off from a personal security perspective.
> >
> >
> >
> > -Jason
> >
> > On Tue, Jan 11, 2011 at 11:33 PM, Matthew Chalmers
> > <matthew.chalmers at owasp.org <mailto:matthew.chalmers at owasp.org>> wrote:
> >
> > It makes users feel warm and fuzzy because it's less likely that their
> > card can be used if cloned from the stripe only. :)
> >
> >
> >
> > On Tue, Jan 11, 2011 at 10:26 PM, Jason Li <jason.li
> > <http://jason.li>@owasp.org <http://owasp.org>> wrote:
> >
> > The CVV2 code is not technically required to make a credit card
> > payment in the US (some European countries do require it).
> >
> >
> >
> > From a *user* security perspective, I don't think there's a
> > significant impact for *not* providing a CVV2 code...
> >
> >
> >
> > But I'm sure someone will point it out if I'm wrong :)
> >
> >
> >
> > -Jason
> >
> >
> >
> > On Tue, Jan 11, 2011 at 6:28 PM, Ofer Maor <ofer.maor at owasp.org
> > <mailto:ofer.maor at owasp.org>> wrote:
> >
> >     Am I the only one who feels uncomfortable that the regonline site
> >     did not ask for my CVV when taking my credit card for the booking?
> >
> >     * *
> >
> >     *---*
> >
> >     *Ofer Maor*
> >
> >     *CTO, Hacktics*
> >
> >     *Chairman, OWASP Israel*
> >
> >
> >
> >     Mobile: +972 (54) 6545406
> >
> >     US: +1 (646) 7700646
> >
> >     Office: +972 (9) 9565840
> >
> >     Fax: +972 (9) 9500047
> >
> >     LinkedIn: http://www.linkedin.com/in/ofermaor
> >
> >     Web: www.hacktics.com <http://www.hacktics.com/>
> >
> >
> >
> >
> >
> >
> >
> >     _______________________________________________
> >     OWASP-Leaders mailing list
> >     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
> >     https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >
> >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >
> >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >
> >
> >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110112/ea0bf8ad/attachment.html 


More information about the OWASP-Leaders mailing list