[Owasp-vancouver] Interest in a meeting?

David Chisholm dave at lonecrow.com
Tue Mar 23 23:52:53 EDT 2010


Thanks so much for the excellent response.   Once my client finishes
suing the vendor for failing to deliver I think I will follow the
course of action you laid out.

I actually don't want to do any of the work to renovate any of the
affected sites.  I have seen this companies work and there is no way I
would attempt to patch the existing code because it is such low
quality.  So I might just alert their customers in the manner of a
helpful passerby who just happened to notice that they forgot to lock
their car doors.

See you for drinks.

David Chisholm
lonecrow.net



On Tue, Mar 23, 2010 at 1:13 PM, Yvan Boily <yvanboily at gmail.com> wrote:
> Hi David,
>
> Wow, that really is a question for your lawyer!  It really depends on to
> what degree you are a party to the CA between your client and the vendor,
> and the degree of liability that is transferred to you via the third party
> agreement between you and your client.  For the rest of this email, read it
> with the following in mind:
>
> A) I am not a lawyer, and this is not legal advice.
> B) I am not a lawyer, and this is not legal advice.
>
> You could contact the original vendor and advising them of the issue, in
> writing.  Suggest that they investigate the issue and request a follow-up
> discussion within 5 days.  Include a reference to and summary of a
> responsible disclosure policy[1], and your willingness to work with them to
> ensure that their customers are protected.  Stress that your concern here is
> protecting the vendors customers, and the fact that for those websites which
> process credit cards, they are not in compliance with their service
> providers.
>
> Above all, be sure to make them aware that you are formally notifying them
> of the issue (and include each of the issues you have identified!).  Advise
> them that you have already invested time and effort into this, and _do_not_
> proceed with any other testing or research against the targets while you are
> negotiating the time frame and handling the disclosure.  If they ask you to
> do additional work or testing, ensure that you have written authorization
> from both the vendor and the owner of the affected site.
>
> In keeping with the policy I refer to below, the objective should be to
> facilitate their work to address the issue with the carrot of the free work
> you have already done, and the stick of disclosure if they do not respond.
> Stress that you are not looking for remuneration for services in notifying
> them of these issues.  Reject any offers of payments, and frame your
> responses as a request to define scope for future engagements should this
> issue be resolved in a satisfactory fashion [it is important to clarify that
> they are asking you for further assistance, and that for any future work,
> you need to discuss terms].
>
> Beyond that, if they don't respond, follow through.  Pick a customer, notify
> them of the issue.  Work with the customer to help them deal with it. It is
> acceptable to use this as a foundation for future paying work, but is
> generally viewed as extortion if this assistance isn't granted as part of
> the disclosure cycle.
>
> [1] For example, http://www.wiretrip.net/rfp/policy.html
>
>
>
>
> On Tue, Mar 23, 2010 at 11:26 AM, David Chisholm <dave at lonecrow.com> wrote:
>>
>> Hi I will make that date.  I have not been active on the list but I am
>> interested in meeting others involved in web application security.
>>
>> Currently I have a question regarding ethical obligations.
>>
>> I recently helped a client deal with a web development project that
>> they had contracted out to a largish Vancouver company.   I refused to
>> sign the confidentiality agreement that the developers wanted me to
>> sign because it seemed pretty apparent to me it was mostly used to
>> muzzle criticism then to protect any IP.   However, I did sign a
>> confidentiality agreement directly with my client and that kept him in
>> compliance with the CA he signed with them which allowed him to talk
>> to people as long as he had a CA with them. (CA chaining :)
>>
>> When I reviewed this companies work it was clear that they didn't have
>> the first clue about web security. Their application was riddled with
>> vulnerabilities especially in their shopping cart code. (cross-site,
>> SQL Injection, session hijacking).   It was extremely trivial to take
>> over any other account on the site and have my way with it. I didn't
>> bother trying to get access to the underlying OS because it was
>> tenanted hosting and I wanted to stay within the bounds of testing the
>> site, not the server.
>>
>> I visited the developers web site where they boasted about the over
>> 1,000 websites they produced.  I quickly visited a few of the sites in
>> their portfolio and it looks like all of them share the same code and
>> the same vulnerabilities.  Some of these sites include radio stations,
>> trade schools, wholesale supplier networks, etc.
>>
>> Questions:
>> We all know that there are lots of insecure websites around, but this
>> is a case where I know these sites are vulnerable and users of these
>> sites are at risk of losing personal information including CC numbers
>> etc.
>>
>> Because I learned about these vulnerabilities while conducting work
>> under a CA, does that mean if I alert those other vulnerable clients I
>> am violating the CA?   How should I deal with this?
>>
>> I know that sure sounds like a question for a lawyer, but I would
>> still like to hear your opinions about how to handle this.
>>
>> Dave
>>
>> On Tue, Mar 23, 2010 at 10:14 AM, Rui Pereira <wavefront1 at shaw.ca> wrote:
>> > 22/4 would work for me - I'm teach a web application security course
>> > that
>> > week downtown, so depending on where we meet, I could probably make
>> > 4:30pm.
>> >
>> > I was at the OWASP DC conf. last November, so we could chat a little
>> > about
>> > that.
>> >
>> > Thank You
>> >
>> > Rui Pereira,B.Sc.(Hons),CIPS ISP,CISSP,CISA,CWNA/CWSP,CPTE/CPTC
>> > Principal Consultant
>> >
>> > WaveFront Consulting Group
>> > Certified Information Systems Security Professionals
>> >
>> > wavefront1 at shaw.ca | www.wavefrontcg.com | 1 604 961-0701
>> >
>> >
>> > -----Original Message-----
>> > From: owasp-vancouver-bounces at lists.owasp.org
>> > [mailto:owasp-vancouver-bounces at lists.owasp.org] On Behalf Of cturra
>> > Sent: March-23-10 9:47 AM
>> > To: Yvan Boily
>> > Cc: owasp-vancouver at lists.owasp.org
>> > Subject: Re: [Owasp-vancouver] Interest in a meeting?
>> >
>> > downtown on 04/22 works the best for me.
>> >
>> >
>> > -- C
>> >
>> > On Tue, Mar 23, 2010 at 9:31 AM, Yvan Boily <yvanboily at gmail.com> wrote:
>> >> So the only remaining question is Coffee or something a little more
>> >> sturdy for this informal discussion ;)
>> >>
>> >> How about Monday the 22nd at 4:30?  Does downtown or near Broadway and
>> >> Commercial work for people?
>> >>
>> >> Cheers,
>> >> Yvan
>> >>
>> >> On Mon, 2010-03-22 at 17:47 -0700, cturra wrote:
>> >>> +1. i agree with Yvan, let's get some (informal) meetings going again!
>> >>>
>> >>>
>> >>> -- C
>> >>>
>> >>> On Mon, Mar 22, 2010 at 3:21 PM, Yvan Boily <yvanboily at gmail.com>
>> >>> wrote:
>> >>> > It has been quite some time since any significant discussion has
>> > occured on
>> >>> > this list; are there any plans to host another meeting?  If not,
>> > perhaps it
>> >>> > would it be a good time to have a less formal meeting at a
>> >>> > conveniently
>> >>> > located coffee shop or pub to discuss the future of OWASP in
>> >>> > Vancouver.
>> >>> >
>> >>> > Given the presence of some very talented people locally, and the
>> >>> > strong
>> >>> > presence from a number of large organizations in the lower mainland,
>> >>> > I
>> > am
>> >>> > surprised that there is not more activity.
>> >>> >
>> >>> > If you are interested, please respond, on or off-list!
>> >>> >
>> >>> > Cheers,
>> >>> > Yvan Boily
>> >>> >
>> >>> > _______________________________________________
>> >>> > Owasp-vancouver mailing list
>> >>> > Owasp-vancouver at lists.owasp.org
>> >>> > https://lists.owasp.org/mailman/listinfo/owasp-vancouver
>> >>> >
>> >>> >
>> >>
>> >>
>> >>
>> > _______________________________________________
>> > Owasp-vancouver mailing list
>> > Owasp-vancouver at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-vancouver
>> > No virus found in this incoming message.
>> > Checked by AVG - www.avg.com
>> > Version: 9.0.791 / Virus Database: 271.1.1/2762 - Release Date: 03/23/10
>> > 00:33:00
>> >
>> > _______________________________________________
>> > Owasp-vancouver mailing list
>> > Owasp-vancouver at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-vancouver
>> >
>> >
>>
>>
>>
>> --
>> -- "If it doesn't work, it isn't beautiful"
>
>



-- 
-- "If it doesn't work, it isn't beautiful"


More information about the Owasp-vancouver mailing list