[Owasp-vancouver] Interest in a meeting?

Yvan Boily yvanboily at gmail.com
Tue Mar 23 16:13:25 EDT 2010


Hi David,

Wow, that really is a question for your lawyer!  It really depends on to
what degree you are a party to the CA between your client and the vendor,
and the degree of liability that is transferred to you via the third party
agreement between you and your client.  For the rest of this email, read it
with the following in mind:

A) I am not a lawyer, and this is not legal advice.
*B) I am not a lawyer, and this is not legal advice.*

You could contact the original vendor and advising them of the issue, in
writing.  Suggest that they investigate the issue and request a follow-up
discussion within 5 days.  Include a reference to and summary of a
responsible disclosure policy[1], and your willingness to work with them to
ensure that their customers are protected.  Stress that your concern here is
protecting the vendors customers, and the fact that for those websites which
process credit cards, they are not in compliance with their service
providers.

Above all, be sure to make them aware that you are formally notifying them
of the issue (and include each of the issues you have identified!).  Advise
them that you have already invested time and effort into this, and _do_not_
proceed with any other testing or research against the targets while you are
negotiating the time frame and handling the disclosure.  If they ask you to
do additional work or testing, ensure that you have written authorization
from both the vendor and the owner of the affected site.

In keeping with the policy I refer to below, the objective should be to
facilitate their work to address the issue with the carrot of the free work
you have already done, and the stick of disclosure if they do not respond.
Stress that you are not looking for remuneration for services in notifying
them of these issues.  Reject any offers of payments, and frame your
responses as a request to define scope for future engagements should this
issue be resolved in a satisfactory fashion [it is important to clarify that
they are asking you for further assistance, and that for any future work,
you need to discuss terms].

Beyond that, if they don't respond, follow through.  Pick a customer, notify
them of the issue.  Work with the customer to help them deal with it. It is
acceptable to use this as a foundation for future paying work, but is
generally viewed as extortion if this assistance isn't granted as part of
the disclosure cycle.

[1] For example, http://www.wiretrip.net/rfp/policy.html




On Tue, Mar 23, 2010 at 11:26 AM, David Chisholm <dave at lonecrow.com> wrote:

> Hi I will make that date.  I have not been active on the list but I am
> interested in meeting others involved in web application security.
>
> Currently I have a question regarding ethical obligations.
>
> I recently helped a client deal with a web development project that
> they had contracted out to a largish Vancouver company.   I refused to
> sign the confidentiality agreement that the developers wanted me to
> sign because it seemed pretty apparent to me it was mostly used to
> muzzle criticism then to protect any IP.   However, I did sign a
> confidentiality agreement directly with my client and that kept him in
> compliance with the CA he signed with them which allowed him to talk
> to people as long as he had a CA with them. (CA chaining :)
>
> When I reviewed this companies work it was clear that they didn't have
> the first clue about web security. Their application was riddled with
> vulnerabilities especially in their shopping cart code. (cross-site,
> SQL Injection, session hijacking).   It was extremely trivial to take
> over any other account on the site and have my way with it. I didn't
> bother trying to get access to the underlying OS because it was
> tenanted hosting and I wanted to stay within the bounds of testing the
> site, not the server.
>
> I visited the developers web site where they boasted about the over
> 1,000 websites they produced.  I quickly visited a few of the sites in
> their portfolio and it looks like all of them share the same code and
> the same vulnerabilities.  Some of these sites include radio stations,
> trade schools, wholesale supplier networks, etc.
>
> Questions:
> We all know that there are lots of insecure websites around, but this
> is a case where I know these sites are vulnerable and users of these
> sites are at risk of losing personal information including CC numbers
> etc.
>
> Because I learned about these vulnerabilities while conducting work
> under a CA, does that mean if I alert those other vulnerable clients I
> am violating the CA?   How should I deal with this?
>
> I know that sure sounds like a question for a lawyer, but I would
> still like to hear your opinions about how to handle this.
>
> Dave
>
> On Tue, Mar 23, 2010 at 10:14 AM, Rui Pereira <wavefront1 at shaw.ca> wrote:
> > 22/4 would work for me - I'm teach a web application security course that
> > week downtown, so depending on where we meet, I could probably make
> 4:30pm.
> >
> > I was at the OWASP DC conf. last November, so we could chat a little
> about
> > that.
> >
> > Thank You
> >
> > Rui Pereira,B.Sc.(Hons),CIPS ISP,CISSP,CISA,CWNA/CWSP,CPTE/CPTC
> > Principal Consultant
> >
> > WaveFront Consulting Group
> > Certified Information Systems Security Professionals
> >
> > wavefront1 at shaw.ca | www.wavefrontcg.com | 1 604 961-0701
> >
> >
> > -----Original Message-----
> > From: owasp-vancouver-bounces at lists.owasp.org
> > [mailto:owasp-vancouver-bounces at lists.owasp.org] On Behalf Of cturra
> > Sent: March-23-10 9:47 AM
> > To: Yvan Boily
> > Cc: owasp-vancouver at lists.owasp.org
> > Subject: Re: [Owasp-vancouver] Interest in a meeting?
> >
> > downtown on 04/22 works the best for me.
> >
> >
> > -- C
> >
> > On Tue, Mar 23, 2010 at 9:31 AM, Yvan Boily <yvanboily at gmail.com> wrote:
> >> So the only remaining question is Coffee or something a little more
> >> sturdy for this informal discussion ;)
> >>
> >> How about Monday the 22nd at 4:30?  Does downtown or near Broadway and
> >> Commercial work for people?
> >>
> >> Cheers,
> >> Yvan
> >>
> >> On Mon, 2010-03-22 at 17:47 -0700, cturra wrote:
> >>> +1. i agree with Yvan, let's get some (informal) meetings going again!
> >>>
> >>>
> >>> -- C
> >>>
> >>> On Mon, Mar 22, 2010 at 3:21 PM, Yvan Boily <yvanboily at gmail.com>
> wrote:
> >>> > It has been quite some time since any significant discussion has
> > occured on
> >>> > this list; are there any plans to host another meeting?  If not,
> > perhaps it
> >>> > would it be a good time to have a less formal meeting at a
> conveniently
> >>> > located coffee shop or pub to discuss the future of OWASP in
> Vancouver.
> >>> >
> >>> > Given the presence of some very talented people locally, and the
> strong
> >>> > presence from a number of large organizations in the lower mainland,
> I
> > am
> >>> > surprised that there is not more activity.
> >>> >
> >>> > If you are interested, please respond, on or off-list!
> >>> >
> >>> > Cheers,
> >>> > Yvan Boily
> >>> >
> >>> > _______________________________________________
> >>> > Owasp-vancouver mailing list
> >>> > Owasp-vancouver at lists.owasp.org
> >>> > https://lists.owasp.org/mailman/listinfo/owasp-vancouver
> >>> >
> >>> >
> >>
> >>
> >>
> > _______________________________________________
> > Owasp-vancouver mailing list
> > Owasp-vancouver at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-vancouver
> > No virus found in this incoming message.
> > Checked by AVG - www.avg.com
> > Version: 9.0.791 / Virus Database: 271.1.1/2762 - Release Date: 03/23/10
> > 00:33:00
> >
> > _______________________________________________
> > Owasp-vancouver mailing list
> > Owasp-vancouver at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-vancouver
> >
> >
>
>
>
> --
> -- "If it doesn't work, it isn't beautiful"
>


More information about the Owasp-vancouver mailing list