Bad security design from Eduardo Vela on 2016-05-07 (public-web-security@w3.org from May 2016)

From: Eduardo Vela <sirdarckcat@gmail.com>
Date: Sat, 07 May 2016 12:07:07 +0000
To: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <CACSvzRzJubRehAF_ekcgxD5abF-qwYAJ865Ec+gv2ct776OKkQ@mail.gmail.com>

Looking at the discussion in https://github.com/angular/angular/issues/8511
, I got thinking that there aren't good resources for developers to learn
what is bad "security" design.

Perhaps it would be a good idea to showcase common "bad" security decisions
by example, or as stories. It would be very memorable to show, for example,
how doing CSRF protection on each individual action is error-prone, or how
doing sanitization manually on every input is error prone too. Something
like The Daily WTF but for security vulnerabilities.

Does anyone know of a public collection of vulnerability root causes (with
developers as target audience) out there? I realize there are public
pentest reports, but they are usually focused on the vulnerability
discoverer more than the developer's point of view. And the examples in
sites like OWASP are very artificial, and not real stories.

Any pointers?

Thanks

Received on Saturday, 7 May 2016 14:48:19 UTC