[Owasp-testing] WARNING: Dummies & Managers Ahead (aka my 2 centsfor you...)

Jeff Williams jeff.williams at aspectsecurity.com
Wed Oct 18 07:45:57 EDT 2006


I think this is an excellent idea. I've found that while the "dummies"
don't generally care too much exactly how a vulnerability works, they
are quite interested in the attack scenario and the impact.  It's
difficult to write these sections clearly, so it would be nice to have a
sort of formula for this section -- something like...

"This [vulnerability] would allow a [threat agent] could [do something
technical], enabling them to cause [system impact]. For many
applications this vulnerability could cause [business impact]."

So, for example, your example would be something like...

"This weak session cookie vulnerability would allow an anonymous
internet user to forge cookie-style authentication credentials, enabling
them to access the accounts of legitimate users. For many applications,
this vulnerability could allow an attacker to access users' personal
information, resulting in serious confidentiality, privacy, and
integrity problems as well as reputation damage."

--Jeff

-----Original Message-----
From: owasp-testing-bounces at lists.owasp.org
[mailto:owasp-testing-bounces at lists.owasp.org] On Behalf Of Matteo G.P.
Flora
Sent: Wednesday, October 18, 2006 3:55 AM
To: owasp-testing at lists.owasp.org
Subject: [Owasp-testing] WARNING: Dummies & Managers Ahead (aka my 2
centsfor you...)

Hi all,

PREAMBLE: this mail was meant to be a couple lines long but went out
of my hand... If you have only a minute or so go to <PROPOSAL> section
directly...

<WHOAMI>

My name is Matteo Flora and I'm very pleased to meet you all... I met
Matt and Alberto here in Italy and they told me to sign on to the ML
and take a look at the document...

Well, it surely is something worth looking at!

Just my passing 2 cents: I'm basically a "political" sort of guy,
directing Italian Privacy and Security Observatory (OPSI) and with a
leading role in Italian Computer Society (AIP)...
I struggle everyday to take some kind of awareness in Corporate and
Gov, with direct connection with Italian (and to minimum degree
European) institutes for adoption of Sec methodologies.

But I'm not here to talk about me ;)

<THEPROBLEM>

I was pointing to Matt and Alberto that the actual document is a
perfect example of what a methodology should be and I scarcely am able
to think to anything that isn't covered in there (while I confess huge
gaps in methodologies I didn't even know the name of!).
Working with management (ISO27001) I often am able to see at the
adoption route of a methodology over another and I have a couple of
observation to share with you (each of them not worth more than my 2
eurocents)....

We're facing a couple  problems:

1) Pentester aren't uniformly  SMART
While we're here and we know what to do and how (well, at least YOU
DO) many pentesters or wannabe in the world don't know much about
in-depth methodologies and so on. Many of them simply rely on
off-the-shelf tools and off-the-shelf methodologies and even if these
are NOT what PT should be we must be aware of their existence.

2) Managers tend to screen methodologies
IT world has changed in the last few years even on the side of
management: typical European manager (or PM) is nowaday a hybrid
figure closer than before to code and developing. He tends to look
deeply at methodologies and being security the "buzz of these years"
each manager tend to spot his competence in this field.

How does this affect us at all?

Well, nowadays we see a plethora of new certifications, methodologies,
tools, codes, guidelines, best practices and so on scattered around
and each of them is used or not based on two factors: political power
of the solution (i.e. ISO) and ease of adoption.

While we cannot impact (right now) on the "political power" of OWASP
we can impact deeply on the ease of use. If people are able to use our
document they'll gladly adopt it.

BUT (there's always a BUT.... Murphy thing, you understand...)

It is my opinion that the actual structure of the document will
represent a very though and steep entry-level to a poorly skilled
pentester and/or to a manager.
Let me clear up: that's not necessarily a PROBLEM... We could happily
say "f*ck the dummies, this is a pro document", but I think we'll
loose 80% of possible audience. In addition to this let's remember
that the TESTING document is in many cases far more important than
Coding Guidelines! Why's that? It's simple: reviewing and testing an
application if far easier than building a perfect one and even if a
manager isn't maybe able to review the code he can look at injections
and hijacking quite easily....

<PROPOSAL>

I propose to prepend EACH technique (all the 4.x.x paragraph) with a
"for dummies" paragraph meant to be read by people that don't know
about the problem and giving a little insight on the subject from a
NON TECH view. LANGUAGE will be different, avoiding techie slang and
FORM would be different, outlining concepts instead of points....
I DO NOT suggest a "for dummy" title, but something like "Overview"
and "Technology" division....

Let's take a look to an example:

e.g. "Being able to tamper with cookies may result in hijacking the
sessions of legitimate users"

Will become:

"Manipulating the cookie content may result, and often results, in
changing the environment and may lead to simulate another user or to
gain unauthorized privileges or access"

The aim is to let a TOTAL IDIOT (like me =]) understand what we're
talking about without falling into technical speech too much and
without letting the subject to frighten a reader.
In addition to this not anyone is prepared to cope with every subject
and more often than not I'm sure that people will thank us for that
and our introduction will explain them what to read and how to
document on a peculiar subject...

I'll be able (as an ignorant) to take a look at most of the subjects
and to write briefings but what I'd really like is to know what do you
all think about this approach...

Matt gave me an overenthusiastic feedback, but we all know Matt ;)

Ok, sorry to have wasted so much of your time and let me know if I've
been not clear...


Ciao!

MgpF

-- 
Matteo G.P. Flora | mf at matteoflora.com | www.MatteoFlora.com
Pres. Milano AIP-ITCS #2657 | IEEE CS Member #80409490 | WOT Notary
Direttore Tecnico Osservatorio Permanente Privacy e Sicurezza (OPSI)
Privacy & Security Consultant | Forensic Examiner | SEO Expert
Secure Channel | pgp F3B6BC10 | 1984-at-nym.hush-dot-com
_______________________________________________
Owasp-testing mailing list
Owasp-testing at lists.owasp.org
http://lists.owasp.org/mailman/listinfo/owasp-testing



More information about the Owasp-testing mailing list