[Owasp-singapore] Web Application Security

Wong Onn Chee ocwong at usa.net
Thu Jun 18 00:00:55 EDT 2009


Hi Ruel,

My personal view is to show to the "business" (whatever it means) a
simulated attack.
The same way how SCADA came to the limelight when a demonstration of how
an IS attack can be used to bring down power turbines.

But do stay within the law in your demo, e.g. using your own account and
etc.
If after showing the simulated attack to the "business" and they still
insist on status quo, then you have discharged your due diligence.
Document down what you have shown and what the final "business"
decisions are, so that there is full accountability.

Hope my $0.02 above helps.

Welcome to the land of "ostriches"!! ;-)
Speaking from experience, there are sadly too many "ostriches" in Singapore.
They thought their world is safe by ignoring the present.
If only that were true, we would be living in heaven. :-)


spawn of soul calibur wrote:
> Hi Guys,
>  
> Just need your opinion/feedback or comment. We have implemented a "not
> so" sensitive web based application to use for our Reward program. Its
> an SaaS. The issues that I have uncovered is that it does not follow
> our password policy and that the logon credential is stored in the
> cookie. Meaning a user can login by just clicking on the "back" and
> "forward" button of the browser.
>  
> The business has provided a risk acceptance. But not sure how to
> respond on this. Any opinion/suggestion/feedback/comment?
>  
> Regards,
> Ruel
>  
>  
>
> ------------------------------------------------------------------------
> check out the rest of the Windows Live�. More than mail�Windows Live�
> goes way beyond your inbox. More than messages
> <http://www.microsoft.com/windows/windowslive/>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Owasp-singapore mailing list
> Owasp-singapore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-singapore
>   



More information about the Owasp-singapore mailing list