Re: An Open Letter (and Challenge) to the Application Security Consortium

[Jimi Thompson <jimi.thompson () gmail com>]

I need to agree that there needs to be some standards for "truth in
advertising" for IT products.  I've gotten to the point that I don't
even want to talk to anyone's sales critters any more.  I've asked
more than one to leave and not come back because they told some real
whoppers or offered me "gifts" in an effort to sell me me their
product.  There are too many vendors who send sales people out into
the field and tell them to say "whatever it takes to close the deal". 
> From my perspective, if I'm spending $50K of my employer's money on
your product, either method is highly unethical.  If your company is
that poorly run, will you be around when I need service?  If your
company is that unethical, do I really want your product doing god
knows what on my network? If your company has to resort to these kinds
of practices to close a sale, how crappy is your product?

If you want to sell me something, you had better give me the product
in an unaltered state for 90-120 days and I'll tell you if I want it
or not.  No demo = no interest from me = no sale.  This goes for more
than just security products.  We recently puchased a help desk type
ticketing system for handling our internal work flow.  3 major vendors
got cut out of the running because the only demo that they would give
us was some flash or some other "precooked" demo on their web site. 
That doesn't cut it.  I've been lied to far too many times to shuck
out a single dollar of my employers money without a demo period on
ANYTHING.


What all the marketing wonks don't seem to get is that lying to
techies is bad.  It's bad because we WILL find out.  Your  Fantabulous
SuperWidget2000 will fail to do something that you swore to me it
would do or it will do something that you swore to me would never
happen.  Either way, the truth is coming out.  Once I find out that
your company's marketing materials lied to me, I assume that your
whole company is populated with crooks and liars and I'll probably
never do business with you again.  If it's just one person, I can
excuse that as ignorance, incompetence, etc, but the actual brochures,
et. al. published by the company are a totally different issue.

Let me explain to the marketing wonks what that means.  I have an
average working expectancy of 50 years.  Average time on a job is 3.5
years.  That means I'll hold 14 jobs in the course of my working life.
 If the average shop is 50 people., that's going to be 700 people who
hear about my terrible experience every time your company's name is
mentioned.  Each and every one of those 700 will encounter an another
700 people in their working life as well and they'll repeat the story
of my bad experience with those horrible liars.

2 cents,




On Tue, 16 Nov 2004 18:19:23 -0800, ban.marketing.bs () hushmail com
<ban.marketing.bs () hushmail com> wrote:
> Fair call but isn't it also about time someone called BS on your
> members for the shiny red button marketing of app scanners?
>
> Point them at WebGoat, WebMaven, Hacme Bank and they all fail
> miserably. (Note they all pass their in-house written canned test
> apps though). I want to see some real test results for these
> things. My results show less that 1 in 10 issues in the real world.
> Thats horrible.
>
> I say good for OWASP for sticking up for the masses and calling BS
> where they see it. Please make sure you cover app scanners as well!
>
> Some people may have been under the impression that this letter was
>
> directed towards the "Web Application Security Consortium" (WASC)
> http://www.webappsec.org.  To clarify, I believe this letter was
> meant
> for ANOTHER group including F5, Imperva, NetContinuum, and Teros.
> Specifically a challenge they sent to Check Point, Cisco, Juniper,
>
> McAfee and Symantec. Many industry acronyms are very close.
>
> Reference the following URL's for background.
>
> The press release found here:
> https://www.netcontinuum.com/newsroom/pressReleaseItem.cfm?uid=42
>
> further industry coverage here:
> http://news.com.com/Group+aims+to+create+hallmark+of+security/2100-
>
> 1029_3-5443154.html
>
> and here:
> http://biz.yahoo.com/prnews/041109/sftu090_1.html
>
> Regards,
>
> Jeremiah Grossman
>
> On Monday, November 15, 2004, at 07:34  PM, The OWASP Project
> wrote:
>
> > An Open Letter (and Challenge) to the Application Security
> Consortium
> > Since its inception in late 2000 the Open Web Application
> Security
> > Project (OWASP) has provided free and open tools and
> documentation to
>
> > educate people about the increasing threat of insecure web
> > applications and web services. As a not-for-profit charitable
> > foundation, one of our community responsibilities is to ensure
> that
> > fair and balanced information is available to companies and
> consumers.
>
> > Our work has become recommended reading by the Federal Trade
> > Commission, VISA, the Defense Information Systems Agency and many
>
> > other commercial and government entities.
> >
> > The newly unveiled Application Security Consortium recently
> announced
>
> > a "Web Application Security Challenge" to other vendors at the
> > Computer Security Institute (CSI) show in Washington, D.C. This
> group
>
> > of security product vendors proposes to create a new minimum
> criteria
>
> > and then rate their own products against it.
> >
> > The OWASP community is deeply concerned that this criteria will
> > mislead consumers and result in a false sense of security. In the
>
> > interest of fairness, we believe the Application Security
> Consortium
> > should disclose what security issues their products do not
> address.
> > As a group with a wide range of international members from
> leading
> > financial services organizations, pharmaceutical companies,
> > manufacturing companies, services providers, and technology
> vendors,
> > we are constantly reminded about the diverse range of
> vulnerabilities
>
> > that are present in web applications and web services. The very
> small
>
> > selection of vulnerabilities you are proposing to become a
> testing
> > criteria are far from representative of what our members see in
> the
> > real world and therefore do not represent a fair or suitable test
>
> > criteria. In fact, it seems quite a coincidence that the issues
> you
> > have chosen seem to closely mirror the issues that your
> technology
> > category is typically able to detect, while ignoring very common
>
> > vulnerabilities that cause serious problems for companies.
> >
> > Robert Graham, Chief Scientist at Internet Security Systems,
> recently
>
> > commented on application firewalls in an interview for CNET news.
> When
>
> > asked the question "How important do you think application
> firewalls
> > will become in the future?" his answer was "Not very."
> >
> >
> > "Let me give you an example of something that happened with me.
> Not
> > long ago, I ordered a plasma screen online, which was to be
> shipped by
>
> > a local company in Atlanta. And the company gave me a six-digit
> > shipping number. Accidentally, I typed in an incremental of my
> > shipping number (on the online tracking Web site). Now, a six-
> digit
> > number is a small number, so of course I got someone else's user
>
> > account information. And the reason that happened was due to the
> way
> > they've set up their user IDs, by incrementing from a six-digit
> > number. So here's the irony: Their system may be so
> cryptographically
>
> > secure that (the) chances of an encrypted shipping number being
> > cracked is lower than a meteor hitting the earth and wiping out
> > civilization. Still, I could get at the next ID easily. There is
> no
> > application firewall that can solve this problem. With
> applications
> > that people are running on the Web, no amount of additive things
> can
> > cure fundamental problems that are already there in the first
> place."
> > This story echoes some of the fundamental beliefs and wisdom
> shared by
>
> > the collective members of OWASP. Our experience shows that the
> > problems we face with insecure software cannot be fixed with
> > technology alone. Building secure software requires deep changes
> in
> > our development culture, including people, processes, and
> technology.
> > We challenge the members of the Application Security Consortium
> to
> > accept a fair evaluation of their products. OWASP will work with
> its
> > members (your customers) to create an open set of criteria that
> is
> > representative of the web application and web services issues
> found in
>
> > the real world. OWASP will then build a web application that
> contains
>
> > each of these issues. The criteria and web application will be
> > submitted to an independent testing company to evaluate your
> products.
>
> > You can submit your products to be tested against the criteria
> > (without having prior access to the code) on the basis that the
> > results are able to be published freely and will unabridged.
> >
> > We believe that this kind of marketing stunt is irresponsible and
>
> > severely distracts awareness from the real issues surrounding web
>
> > application and web services security. Corporations need to
> understand
>
> > that they must build better software and not seek an elusive
> silver
> > bullet.
> >
> > We urge the Consortium not to go forward with their criteria, but
> to
> > take OWASP up on our offer to produce a meaningful standard and
> test
> > environment that are open and free for all.
> >
> > Contact: owasp () owasp org
> > Website: www.owasp.org
>
> Concerned about your privacy? Follow this link to get
> secure FREE email: http://www.hushmail.com/?l=2
>
> Free, ultra-private instant messaging with Hush Messenger
> http://www.hushmail.com/services-messenger?l=434
>
> Promote security and make money with the Hushmail Affiliate Program:
> http://www.hushmail.com/about-affiliate?l=427


-- 
Thanks,

Jimi