- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Mon, 9 May 2016 22:39:08 +0200
- To: Eduardo Vela <sirdarckcat@gmail.com>
- Cc: "public-web-security@w3.org" <public-web-security@w3.org>
Received on Monday, 9 May 2016 20:39:36 UTC
On 7 May 2016 at 14:07, Eduardo Vela <sirdarckcat@gmail.com> wrote: > Looking at the discussion in > https://github.com/angular/angular/issues/8511, I got thinking that there > aren't good resources for developers to learn what is bad "security" design. > > Perhaps it would be a good idea to showcase common "bad" security > decisions by example, or as stories. It would be very memorable to show, > for example, how doing CSRF protection on each individual action is > error-prone, or how doing sanitization manually on every input is error > prone too. Something like The Daily WTF but for security vulnerabilities. > > Does anyone know of a public collection of vulnerability root causes (with > developers as target audience) out there? I realize there are public > pentest reports, but they are usually focused on the vulnerability > discoverer more than the developer's point of view. And the examples in > sites like OWASP are very artificial, and not real stories. > But who decides what is "bad" security? Advertisers want one thing, users want another, and developers want something else. >From what perspective would this be coming from? > > Any pointers? > > Thanks >
Received on Monday, 9 May 2016 20:39:36 UTC