Secure Coding mailing list archives
[WEB SECURITY] Some unanswered website vulnerability questions
From: dinis at ddplus.net (Dinis Cruz)
Date: Wed, 10 Oct 2007 00:29:45 +0100
Jeremiah's was inspired and wrote 5 spot-on web application security questions (see below) which we all as a community should:a) comment & discuss b) research properly its implications, and c) come up (for each question) with a set of 'this is the current situation' answers. I suspect that c) will be a very uncomfortable reading for a lot of people, but that might actually make some things change (for the better I hope) Dinis Cruz Chief OWASP Evangelist http://www.owasp.org On 10/9/07, Jeremiah Grossman <jeremiah at whitehatsec.com> wrote:
Earlier this morning I posted several questions to my blog, which I should have simul-posted here for additional comments. Two people (Rich and Adrian) commented fairly quickly with some very interesting and insightful answers that I highly recommend people read. blogged: http://jeremiahgrossman.blogspot.com/2007/10/some-unanswered-website- vulnerability.html Rich Mogull: http://securosis.com/2007/10/09/some-answers-for-jeremiah-website- vulnerabilities/ ----- In the industry we discuss at great length the legal risks and ethical responsibilities of the person disclosing an issue, but not enough about the same when it comes to the business itself. I've had a hard time getting authoritative answers to some seemingly simple questions, so I figured I'd give the blog a try. Lets assume a company is informed of a SQLi or XSS vulnerability in their website (I know, shocker) either privately or via public disclosure on sla.ckers.org. And that vulnerability potentially places private personal information (PPI) or intellectual property at risk of compromise. My questions are: 1) Is the company "legally" obligated to fix the issue or can they just accept the risk? Think SOX, GLBA, HIPAA, PCI-DSS, etc. 2) What if repairs require a significant time/money investment? Is there a resolution grace period, does the company have to install compensating controls, or must they shutdown the website while repairs are made? 3) Should an incident occur exploiting the aforementioned vulnerability, does the company carry any additional legal liability? 4) If the company's website is PCI-DSS certified, is the website still be considered certified after the point of disclosure given what the web application security sections dictate? 5) Does the QSA or ASV who certified the website potentially risk any PCI Council disciplinary action for certifying a non-compliant website? What happens if this becomes a pattern? While I'm happy to hear anyone's personal opinions, answers backed by cited references are the best. Laws, case law, investigations, news stories, FAQ's, or whatever are what I'm looking for. Regards, Jeremiah Grossman Chief Technology Officer WhiteHat Security, Inc. http://www.whitehatsec.com/
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20071010/b4951a59/attachment.html
Current thread:
- [WEB SECURITY] Some unanswered website vulnerability questions Dinis Cruz (Oct 09)