Re: Bad security design from Eduardo' Vela\ on 2016-05-09 (public-web-security@w3.org from May 2016)

From: Eduardo' Vela\ <evn@google.com>
Date: Mon, 09 May 2016 23:01:02 +0000
To: GALINDO Virginie <Virginie.Galindo@gemalto.com>, Eduardo Vela <sirdarckcat@gmail.com>, Melvin Carvalho <melvincarvalho@gmail.com>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <CAFswPa8UfN0z2rkC3p6weSY=7igJiAWBfM9AGkauOeCSYQZ3Nw@mail.gmail.com>

@Melvin, I suspect rather than focusing on a specific "good design" we can
just point out the root cause of every issue, different ways it could have
been prevented, and let users make their own decisions.

I was mostly interested on having a channel to showcase mistakes root
causes.

@Virginie, let's chat! I hope there's something we can make out of this :)

On Mon, May 9, 2016 at 2:32 PM GALINDO Virginie <
Virginie.Galindo@gemalto.com> wrote:

> Melvin,
> I believe that the perspective is driven by preserving the user, avoiding
> the user's data to be harmed.
> But you are right to say that good practice should come with avantages ou
> disadvantages for each part (User / developer / service provider / third
> party if any).
> Regards.
> Virginie
>
>
> ---- Melvin Carvalho a écrit ----
>
>
>
>
> On 7 May 2016 at 14:07, Eduardo Vela <sirdarckcat@gmail.com> wrote:
>
>> Looking at the discussion in
>> https://github.com/angular/angular/issues/8511, I got thinking that
>> there aren't good resources for developers to learn what is bad "security"
>> design.
>>
>> Perhaps it would be a good idea to showcase common "bad" security
>> decisions by example, or as stories. It would be very memorable to show,
>> for example, how doing CSRF protection on each individual action is
>> error-prone, or how doing sanitization manually on every input is error
>> prone too. Something like The Daily WTF but for security vulnerabilities.
>>
>> Does anyone know of a public collection of vulnerability root causes
>> (with developers as target audience) out there? I realize there are public
>> pentest reports, but they are usually focused on the vulnerability
>> discoverer more than the developer's point of view. And the examples in
>> sites like OWASP are very artificial, and not real stories.
>>
>
> But who decides what is "bad" security?  Advertisers want one thing, users
> want another, and developers want something else.
>
> From what perspective would this be coming from?
>
>
>>
>> Any pointers?
>>
>> Thanks
>>
>
> ------------------------------
> This message and any attachments are intended solely for the addressees
> and may contain confidential information. Any unauthorized use or
> disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for
> the message if altered, changed or falsified. If you are not the intended
> recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission
> free from viruses, the sender will not be liable for damages caused by a
> transmitted virus.
>

Received on Monday, 9 May 2016 23:01:41 UTC