- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Tue, 10 May 2016 12:48:28 +0200
- To: GALINDO Virginie <Virginie.Galindo@gemalto.com>
- Cc: Eduardo Vela <sirdarckcat@gmail.com>, "public-web-security@w3.org" <public-web-security@w3.org>
- Message-ID: <CAKaEYhJU92zQXGpZxoK--tH3svyicS8yEjJ1tn4u4navVi=uSA@mail.gmail.com>
On 10 May 2016 at 12:28, GALINDO Virginie <Virginie.Galindo@gemalto.com> wrote: > Seems like identity and securing data on the web are worth writing a book, > > see Identity and Data Security for Web Development > > Best Practices, By Jonathan LeBlanc, Tim Messerschmidt : > http://shop.oreilly.com/product/0636920044376.do > Looking forward to this! I think identity ties well together with security. Because in many, if not most, cases you are securing data that is tied to a user (agent). Being able to accurately denote that user with an identifier is an essential piece. All too often it is under specified or left to the imagination, which can lead to messy security protocols, vulnerabilities, privacy breaches and centralization, in often a quite misunderstood way. Im hoping books like this, or even some blog posts, will be able to shed light. It would be good when discussing 'good' and 'bad' security, to add the context, *what* are you securing, *who* are you securing it for, rather than, just the *how*. > > > Regards, > > Virginie > > > > > > *From:* Melvin Carvalho [mailto:melvincarvalho@gmail.com] > *Sent:* lundi 9 mai 2016 22:39 > *To:* Eduardo Vela > *Cc:* public-web-security@w3.org > *Subject:* Re: Bad security design > > > > > > > > On 7 May 2016 at 14:07, Eduardo Vela <sirdarckcat@gmail.com> wrote: > > Looking at the discussion in > https://github.com/angular/angular/issues/8511, I got thinking that there > aren't good resources for developers to learn what is bad "security" design. > > > > Perhaps it would be a good idea to showcase common "bad" security > decisions by example, or as stories. It would be very memorable to show, > for example, how doing CSRF protection on each individual action is > error-prone, or how doing sanitization manually on every input is error > prone too. Something like The Daily WTF but for security vulnerabilities. > > > > Does anyone know of a public collection of vulnerability root causes (with > developers as target audience) out there? I realize there are public > pentest reports, but they are usually focused on the vulnerability > discoverer more than the developer's point of view. And the examples in > sites like OWASP are very artificial, and not real stories. > > > > But who decides what is "bad" security? Advertisers want one thing, users > want another, and developers want something else. > > From what perspective would this be coming from? > > > > > > Any pointers? > > > > Thanks > > > ------------------------------ > This message and any attachments are intended solely for the addressees > and may contain confidential information. Any unauthorized use or > disclosure, either whole or partial, is prohibited. > E-mails are susceptible to alteration. Our company shall not be liable for > the message if altered, changed or falsified. If you are not the intended > recipient of this message, please delete it and notify the sender. > Although all reasonable efforts have been made to keep this transmission > free from viruses, the sender will not be liable for damages caused by a > transmitted virus. >
Received on Tuesday, 10 May 2016 10:56:04 UTC