RE: Bad security design from GALINDO Virginie on 2016-05-10 (public-web-security@w3.org from May 2016)

From: GALINDO Virginie <Virginie.Galindo@gemalto.com>
Date: Tue, 10 May 2016 10:28:59 +0000
To: Melvin Carvalho <melvincarvalho@gmail.com>, Eduardo Vela <sirdarckcat@gmail.com>
CC: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <540E99C53248CE468F6F7702588ABA2A0146C2A476@A1GTOEMBXV005.gto.a3c.atos.net>

Seems like identity and securing data on the web are worth writing a book,
see Identity and Data Security for Web Development
Best Practices, By Jonathan LeBlanc, Tim Messerschmidt : http://shop.oreilly.com/product/0636920044376.do


Regards,
Virginie


From: Melvin Carvalho [mailto:melvincarvalho@gmail.com]
Sent: lundi 9 mai 2016 22:39
To: Eduardo Vela
Cc: public-web-security@w3.org
Subject: Re: Bad security design



On 7 May 2016 at 14:07, Eduardo Vela <sirdarckcat@gmail.com<mailto:sirdarckcat@gmail.com>> wrote:
Looking at the discussion in https://github.com/angular/angular/issues/8511, I got thinking that there aren't good resources for developers to learn what is bad "security" design.

Perhaps it would be a good idea to showcase common "bad" security decisions by example, or as stories. It would be very memorable to show, for example, how doing CSRF protection on each individual action is error-prone, or how doing sanitization manually on every input is error prone too. Something like The Daily WTF but for security vulnerabilities.

Does anyone know of a public collection of vulnerability root causes (with developers as target audience) out there? I realize there are public pentest reports, but they are usually focused on the vulnerability discoverer more than the developer's point of view. And the examples in sites like OWASP are very artificial, and not real stories.

But who decides what is "bad" security?  Advertisers want one thing, users want another, and developers want something else.
From what perspective would this be coming from?


Any pointers?

Thanks

________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.

Received on Tuesday, 10 May 2016 10:30:05 UTC