Re: Bad security design

Melvin,
I believe that the perspective is driven by preserving the user, avoiding the user's data to be harmed.
But you are right to say that good practice should come with avantages ou disadvantages for each part (User / developer / service provider / third party if any).
Regards.
Virginie


---- Melvin Carvalho a écrit ----



On 7 May 2016 at 14:07, Eduardo Vela <sirdarckcat@gmail.com<mailto:sirdarckcat@gmail.com>> wrote:
Looking at the discussion in https://github.com/angular/angular/issues/8511, I got thinking that there aren't good resources for developers to learn what is bad "security" design.

Perhaps it would be a good idea to showcase common "bad" security decisions by example, or as stories. It would be very memorable to show, for example, how doing CSRF protection on each individual action is error-prone, or how doing sanitization manually on every input is error prone too. Something like The Daily WTF but for security vulnerabilities.

Does anyone know of a public collection of vulnerability root causes (with developers as target audience) out there? I realize there are public pentest reports, but they are usually focused on the vulnerability discoverer more than the developer's point of view. And the examples in sites like OWASP are very artificial, and not real stories.

But who decides what is "bad" security?  Advertisers want one thing, users want another, and developers want something else.

>From what perspective would this be coming from?


Any pointers?

Thanks

________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.

Received on Monday, 9 May 2016 21:30:23 UTC