[Owasp-singapore] Over half of all apps have security holes - Dodgy development practices balamed

Wong Onn Chee ocwong at usa.net
Mon Sep 27 19:45:01 EDT 2010

Thanks, Daniel.

Should we then create an online catalog of insecure websites with findings contributed by the public and community?
Sort of a Stomp-like site but focus on insecure websites.

Onn Chee

-----Original Message-----
From: Daniel.Tong at Asia.ING.com
Sent: Monday, 27 September 2010 6:58 PM
To: ocwong at usa.net; claudio.scarabello at sg.verizonbusiness.com
Cc: security-77 at meetup.com; owasp-singapore at lists.owasp.org
Subject: Re: [Owasp-singapore] Over half of all apps have security holes - Dodgy development practices blamed

The only people to benefit from law suits are the lawyers. 
Trust me they do not need another source of income.

I would agree that awareness and education is key. For consumers and businesses its one of choice. That is when people if realise they are at 'risk' will take their business else where.

What needs to be demonstrate that good security= trust = $.


----- Original Message -----
From: owasp-singapore-bounces at lists.owasp.org <owasp-singapore-bounces at lists.owasp.org>
To: Scarabello, Claudio <claudio.scarabello at sg.verizonbusiness.com>
Cc: security-77 at meetup.com <security-77 at meetup.com>; OWASP Singapore <owasp-singapore at lists.owasp.org>
Sent: Mon Sep 27 18:17:46 2010
Subject: Re: [Owasp-singapore] Over half of all apps have security holes - Dodgy development practices blamed

 Hi Claudio,

Good insight.

Should we update consumers that they have the right to sue a website
owner if the website is insecure and infects their visitors?
This way, the business folks will stop ignoring the value of appsec.
When their pockets are hurt, the business folks will move.

Perhaps we should run an awareness campaign to educate and inform
consumers about their rights.
I believe such a campaign benefits all infosec pros.
What do you think?

Onn Chee

On 09/27/2010 11:32 AM, Scarabello, Claudio wrote:
> The way I see it, poor development practices, training and/or education
> are merely symptomatic of a root cause related to business owners who do
> not establish incentives/metrics for developers to build secure apps in
> the first place. And that's because business owners do not set aside
> budget for security reviews/ secure development. Why would they? Risk
> responsibility is not well established in the dev phases: they can deal
> with it later. And, adding SDLC (for example) early on would only slow
> down/hinder the project plans.
> Regards, Claudio Scarabello
> -----Original Message-----
> From: owasp-singapore-bounces at lists.owasp.org
> [mailto:owasp-singapore-bounces at lists.owasp.org] On Behalf Of Wong Onn
> Chee
> Sent: Saturday, September 25, 2010 1:27 AM
> To: OWASP Singapore; security-77 at meetup.com
> Subject: [Owasp-singapore] Over half of all apps have security holes -
> Dodgy development practices blamed
>  http://www.theregister.co.uk/2010/09/23/web_app_security_audit/
> Some interesting questions for us to think about:
> - How were developers taught dodgy development practices?
> - Is something broken in how we teach developers?
> - If it is true that our developers are not taught in the right way,
> should we focus our efforts on the schools where developers are trained,
> instead of relying on OJT to learn about secure web app development?
> What do you think?
Owasp-singapore mailing list
Owasp-singapore at lists.owasp.org

The information in this Internet email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this Internet
email by anyone else is unauthorised. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this Internet email are subject to the terms and conditions
expressed in any applicable governing ING's terms of business or
client engagement letter.

Visit us at www.ing.com

More information about the Owasp-singapore mailing list