RE: Bad security design

>It would be good when discussing 'good' and 'bad' security, to add the context, *what* are you securing, *who* are you securing it for, rather than,
> just the *how*.

+1
Virginie



From: Melvin Carvalho [mailto:melvincarvalho@gmail.com]
Sent: mardi 10 mai 2016 12:48
To: GALINDO Virginie
Cc: Eduardo Vela; public-web-security@w3.org
Subject: Re: Bad security design



On 10 May 2016 at 12:28, GALINDO Virginie <Virginie.Galindo@gemalto.com<mailto:Virginie.Galindo@gemalto.com>> wrote:
Seems like identity and securing data on the web are worth writing a book,
see Identity and Data Security for Web Development
Best Practices, By Jonathan LeBlanc, Tim Messerschmidt : http://shop.oreilly.com/product/0636920044376.do


Looking forward to this!
I think identity ties well together with security.  Because in many, if not most, cases you are securing data that is tied to a user (agent).

Being able to accurately denote that user with an identifier is an essential piece.  All too often it is under specified or left to the imagination, which can lead to messy security protocols, vulnerabilities, privacy breaches and centralization, in often a quite misunderstood way.
Im hoping books like this, or even some blog posts, will be able to shed light.
It would be good when discussing 'good' and 'bad' security, to add the context, *what* are you securing, *who* are you securing it for, rather than, just the *how*.


Regards,
Virginie


From: Melvin Carvalho [mailto:melvincarvalho@gmail.com<mailto:melvincarvalho@gmail.com>]
Sent: lundi 9 mai 2016 22:39
To: Eduardo Vela
Cc: public-web-security@w3.org<mailto:public-web-security@w3.org>
Subject: Re: Bad security design



On 7 May 2016 at 14:07, Eduardo Vela <sirdarckcat@gmail.com<mailto:sirdarckcat@gmail.com>> wrote:
Looking at the discussion in https://github.com/angular/angular/issues/8511, I got thinking that there aren't good resources for developers to learn what is bad "security" design.

Perhaps it would be a good idea to showcase common "bad" security decisions by example, or as stories. It would be very memorable to show, for example, how doing CSRF protection on each individual action is error-prone, or how doing sanitization manually on every input is error prone too. Something like The Daily WTF but for security vulnerabilities.

Does anyone know of a public collection of vulnerability root causes (with developers as target audience) out there? I realize there are public pentest reports, but they are usually focused on the vulnerability discoverer more than the developer's point of view. And the examples in sites like OWASP are very artificial, and not real stories.

But who decides what is "bad" security?  Advertisers want one thing, users want another, and developers want something else.
From what perspective would this be coming from?


Any pointers?

Thanks

________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.

________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.