Comments on: Software [In]security: Web Applications and Software Security http://www.mikeandrews.com/2008/11/17/software-insecurity-web-applications-and-software-security/ Fri, 09 Apr 2010 12:01:55 -0700 http://wordpress.org/?v=2.9.2 hourly 1 By: Securosis – Building a webapp security program part 3 | Mike Andrews http://www.mikeandrews.com/2008/11/17/software-insecurity-web-applications-and-software-security/comment-page-1/#comment-323 Securosis – Building a webapp security program part 3 | Mike Andrews Fri, 05 Dec 2008 07:21:44 +0000 http://www.mikeandrews.com/2008/11/17/software-insecurity-web-applications-and-software-security/#comment-323 [...] vulnerability classes: I’m going to disagree here, and I believe that Gary has the same thoughts.  What we are seeing in web vulnerabilities [...] [...] vulnerability classes: I’m going to disagree here, and I believe that Gary has the same thoughts.  What we are seeing in web vulnerabilities [...]

]]> By: Ken van Wyk http://www.mikeandrews.com/2008/11/17/software-insecurity-web-applications-and-software-security/comment-page-1/#comment-292 Ken van Wyk Tue, 18 Nov 2008 12:52:56 +0000 http://www.mikeandrews.com/2008/11/17/software-insecurity-web-applications-and-software-security/#comment-292 Nice piece. I concur re CSRF, fwiw. I've always thought of it as a form of remote (albeit blind) hijacking. The attacker is essentially duping the browser into allowing the attacker's actions to be taken -- with the trust (and session tokens) of the local user. To me, that sure sounds like hijacking, not interposition. Re black box being what clients are willing to pay for, I've witnessed the same, and for many years. But we've all been claiming this to be "a start" for far too long. We've all got to move beyond that. We've got to do our best to convince and educate of the value of doing serious security testing beyond the uninformed black box sort. IMHO... Cheers, Ken van Wyk Nice piece.

I concur re CSRF, fwiw. I’ve always thought of it as a form of remote (albeit blind) hijacking. The attacker is essentially duping the browser into allowing the attacker’s actions to be taken — with the trust (and session tokens) of the local user. To me, that sure sounds like hijacking, not interposition.

Re black box being what clients are willing to pay for, I’ve witnessed the same, and for many years. But we’ve all been claiming this to be “a start” for far too long. We’ve all got to move beyond that. We’ve got to do our best to convince and educate of the value of doing serious security testing beyond the uninformed black box sort. IMHO…

Cheers,

Ken van Wyk

]]>