[WEB SECURITY] Some unanswered website vulnerability questions

[dinis at ddplus.net (Dinis Cruz)]

Jeremiah's was inspired and wrote 5 spot-on web application security
questions (see below) which we all as a community should:a) comment &
discuss
b) research properly its implications, and
c) come up (for each question) with a set of 'this is the current situation'
 answers.

I suspect that c) will be a very uncomfortable reading for a lot of people,
but that might actually make some things change (for the better I hope)

Dinis Cruz
Chief OWASP Evangelist
http://www.owasp.org

On 10/9/07, Jeremiah Grossman <jeremiah at whitehatsec.com> wrote:
> Earlier this morning I posted several questions to my blog, which I
> should have simul-posted here for additional comments. Two people
> (Rich and Adrian) commented fairly quickly with some very interesting
> and insightful answers that I highly recommend people read.
>
> blogged:
> http://jeremiahgrossman.blogspot.com/2007/10/some-unanswered-website-
> vulnerability.html
>
> Rich Mogull:
> http://securosis.com/2007/10/09/some-answers-for-jeremiah-website-
> vulnerabilities/
>
>
> -----
> In the industry we discuss at great length the legal risks and
> ethical responsibilities of the person disclosing an issue, but not
> enough about the same when it comes to the business itself. I've had
> a hard time getting authoritative answers to some seemingly simple
> questions, so I figured I'd give the blog a try. Lets assume a
> company is informed of a SQLi or XSS vulnerability in their website
> (I know, shocker) either privately or via public disclosure on
> sla.ckers.org. And that vulnerability potentially places private
> personal information (PPI) or intellectual property at risk of
> compromise. My questions are:
>
> 1) Is the company "legally" obligated to fix the issue or can they
> just accept the risk? Think SOX, GLBA, HIPAA, PCI-DSS, etc.
>
> 2) What if repairs require a significant time/money investment? Is
> there a resolution grace period, does the company have to install
> compensating controls, or must they shutdown the website while
> repairs are made?
>
> 3) Should an incident occur exploiting the aforementioned
> vulnerability, does the company carry any additional legal liability?
>
> 4) If the company's website is PCI-DSS certified, is the website
> still be considered certified after the point of disclosure given
> what the web application security sections dictate?
>
> 5) Does the QSA or ASV who certified the website potentially risk any
> PCI Council disciplinary action for certifying a non-compliant
> website? What happens if this becomes a pattern?
>
> While I'm happy to hear anyone's personal opinions, answers backed by
> cited references are the best. Laws, case law, investigations, news
> stories, FAQ's, or whatever are what I'm looking for.
>
>
>
> Regards,
>
>
> Jeremiah Grossman
> Chief Technology Officer
> WhiteHat Security, Inc.
> http://www.whitehatsec.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20071010/b4951a59/attachment.html