[Owasp-leaders] Summit Regonline

Jeff Williams jeff.williams at owasp.org
Wed Jan 12 22:54:38 EST 2011

I think it’s a *very* good idea for OWASP to do some due diligence around any vendors that we use.  But we’ve got to be careful about this.  Is RegOnline less secure than cvent?  Does finding a single flaw make any difference in this calculation?  What’s the opportunity cost of not switching?  How can OWASP effectively audit a vendor?  Etc…





From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Ofer Maor
Sent: Wednesday, January 12, 2011 3:14 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Summit Regonline


Hi James,


Just in regard for your first point – what you’re saying is true for the aware consumer who goes through all their creditcard bills regularly and checks this. Most people don’t. 


As for 2 & 3 – couldn’t agree more J 





From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of James McGovern
Sent: Wednesday, January 12, 2011 21:07
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Summit Regonline


Couldn’t resist chiming in.


1.      The risk to the consumer is $0 as credit card companies will reimburse. With that being said, there is an unstated cost to aggravating consumers when this happens. Need a metric around this.

2.      If regonline suffers from SQLI vulnerability, maybe the issue isn’t in OWASP negotiation but in the fact that PCI-DSS needs to have a way for when this is uncovered that their QSA could learn of it? With that being said, when we negotiated with them, did we use our own contract annex?

3.      The biggest risk here is one of brand risk. Imagine if it got out that OWASP uses a site for credit card collection that doesn’t even comply to the top ten…


James McGovern

Virtusa was recently ranked and featured in 2010 Deloitte Technology Fast 500, 2010 Global Services 100, IAOP's 2010 Global Outsourcing 100 sub-list and 2010 FinTech 100 among others.
This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110112/14a70a4b/attachment.html 

More information about the OWASP-Leaders mailing list