Re: Bad security design from GALINDO Virginie on 2016-05-09 (public-web-security@w3.org from May 2016)

From: GALINDO Virginie <Virginie.Galindo@gemalto.com>
Date: Mon, 9 May 2016 09:33:45 +0000
To: "public-web-security@w3.org" <public-web-security@w3.org>, Eduardo Vela <sirdarckcat@gmail.com>
Message-ID: <v97nv9qjbn08r8lfe4vq50m2.1462785006581@email.android.com>

Eduardo,

I have not seen such ressource, appart spread from the different media I am.monitoring<http://am.monitoring> on a regular basis.
If I understand well, you are suggesting a try on web developer awareness and education, aka bridging the gap between security experts and non-specialist web developers by real exemples.
I am wondering if this could not be a 'simple' press and blog post reference collection, gathering major vulnérabilities disclosure and corresponding design problem (and obvious patch / bug fix directions), combined with contextual reminder of good security principles, for educative purpose. A kind of 25 lines newsletter focusing on web security news.

I'd be happy to kickoff that for a first try. Anyone else with me ?

Regards
Virginie

---- Eduardo Vela a écrit ----

Looking at the discussion in https://github.com/angular/angular/issues/8511, I got thinking that there aren't good resources for developers to learn what is bad "security" design.

Perhaps it would be a good idea to showcase common "bad" security decisions by example, or as stories. It would be very memorable to show, for example, how doing CSRF protection on each individual action is error-prone, or how doing sanitization manually on every input is error prone too. Something like The Daily WTF but for security vulnerabilities.

Does anyone know of a public collection of vulnerability root causes (with developers as target audience) out there? I realize there are public pentest reports, but they are usually focused on the vulnerability discoverer more than the developer's point of view. And the examples in sites like OWASP are very artificial, and not real stories.

Any pointers?

Thanks
________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.

Received on Monday, 9 May 2016 09:34:47 UTC