Comments on: Do as I Say… http://www.analyticalengine.net/archives/205 Application Security, General Technology, and Geek Ramblings Wed, 09 Dec 2009 17:47:13 +0000 hourly 1 http://wordpress.org/?v=3.0 By: Joshbw http://www.analyticalengine.net/archives/205/comment-page-1#comment-1317 Joshbw Wed, 09 Dec 2009 17:47:13 +0000 http://www.analyticalengine.net/?p=205#comment-1317 Incidentally, to further blemish myself, one thing correctly pointed out in the mediawiki bugzilla discussion that I *should* have thought about myself was that in terms of the verbose login messages, a change is pointless. There are numerous ways to discover valid user accounts, intentionally in the design of the application, so when it comes down to it it matters little that you can do so on the login page. Thus my complaints in that regard appear quite silly. Incidentally, to further blemish myself, one thing correctly pointed out in the mediawiki bugzilla discussion that I *should* have thought about myself was that in terms of the verbose login messages, a change is pointless. There are numerous ways to discover valid user accounts, intentionally in the design of the application, so when it comes down to it it matters little that you can do so on the login page.

Thus my complaints in that regard appear quite silly.

]]> By: Joshbw http://www.analyticalengine.net/archives/205/comment-page-1#comment-1316 Joshbw Wed, 09 Dec 2009 17:38:49 +0000 http://www.analyticalengine.net/?p=205#comment-1316 Hey guys, do as I say, not as I do... and indeed, casual hypocracy is hard to combat. As I was writing this I certainly realized I was passing the buck. The security edge open source has over proprietary is that anyone who notices a problem can fix it (I think that is balanced by the fact that blackhats who have no intention of fixing a problem have a bit easier time finding them with access to the source), and indeed since I notice the problem I could certainly fix it myself. I plead hardware failure as an excuse, as my personal dev box is toast at the moment (come on generous tax return, Daddy needs a new computer) but I have gone and open bugs with the MediaWiki Project. In general though, as a consumer of multiple OSS projects myself I should do a better job giving back - they may be free of cost, but I really should recognize a level of obligation as a result of my use regardless. In terms of OWASP, the resources the organization provides are ones I have refered a multitude of developers to, and have in turn contributed to several pages, but certainly considering the utility it has provided me I owe some more back its way. <blockquote>In the early years of OWASP, we spent almost all of our time working on building an uber-secure CMS, at a *serious* cost to actually achieving our mission. So I think there’s an important lesson for developers here that security is not black-and-white. You always have to balance the cost to the business against the investment in security…and if that’s what developers take away from the OWASP site then I think we’ve done something good. </blockquote> Indeed that is something I fully understand. Security is just one business need among many, and the business needs to balance competing needs. I think an underlying message to my post is that security teams need to be reasonable in their security pronouncements - all to often security professionals like to speak in absolutes as if security considerations are on a higher pedistol when at the same time they implicitely understand that they themselves are weighing the security of their own properties relative to the other business considerations of their proprerties. In general I think those of us in the enterprise are obligated to live our examples - in our own projects find the right balance of security versus other considerations (or even security versus security. Often confidentiality, integrity, and availability are competing rather than complimentary concepts) and use that to inform our educations of the rest of the enterprise. Hey guys, do as I say, not as I do… and indeed, casual hypocracy is hard to combat. As I was writing this I certainly realized I was passing the buck. The security edge open source has over proprietary is that anyone who notices a problem can fix it (I think that is balanced by the fact that blackhats who have no intention of fixing a problem have a bit easier time finding them with access to the source), and indeed since I notice the problem I could certainly fix it myself. I plead hardware failure as an excuse, as my personal dev box is toast at the moment (come on generous tax return, Daddy needs a new computer) but I have gone and open bugs with the MediaWiki Project. In general though, as a consumer of multiple OSS projects myself I should do a better job giving back – they may be free of cost, but I really should recognize a level of obligation as a result of my use regardless.

In terms of OWASP, the resources the organization provides are ones I have refered a multitude of developers to, and have in turn contributed to several pages, but certainly considering the utility it has provided me I owe some more back its way.

In the early years of OWASP, we spent almost all of our time working on building an uber-secure CMS, at a *serious* cost to actually achieving our mission. So I think there’s an important lesson for developers here that security is not black-and-white. You always have to balance the cost to the business against the investment in security…and if that’s what developers take away from the OWASP site then I think we’ve done something good.

Indeed that is something I fully understand. Security is just one business need among many, and the business needs to balance competing needs. I think an underlying message to my post is that security teams need to be reasonable in their security pronouncements – all to often security professionals like to speak in absolutes as if security considerations are on a higher pedistol when at the same time they implicitely understand that they themselves are weighing the security of their own properties relative to the other business considerations of their proprerties. In general I think those of us in the enterprise are obligated to live our examples – in our own projects find the right balance of security versus other considerations (or even security versus security. Often confidentiality, integrity, and availability are competing rather than complimentary concepts) and use that to inform our educations of the rest of the enterprise.

]]> By: Jeff Williams http://www.analyticalengine.net/archives/205/comment-page-1#comment-1315 Jeff Williams Wed, 09 Dec 2009 15:55:11 +0000 http://www.analyticalengine.net/?p=205#comment-1315 Thanks Josh! I think your basic point is right, and we should eat our own dogfood. Please remember that OWASP is an an all volunteer organization operating on a shoestring budget. We *have* given considerable support to a huge range of open source projects, including MediaWiki, Spring, Hudson, and many others. You should know that we have invested pretty heavily in the security of the OWASP site, with hardening, patching, configuration, custom plugins, etc... but there's obviously more we can do. In the early years of OWASP, we spent almost all of our time working on building an uber-secure CMS, at a *serious* cost to actually achieving our mission. So I think there's an important lesson for developers here that security is not black-and-white. You always have to balance the cost to the business against the investment in security...and if that's what developers take away from the OWASP site then I think we've done something good. Nevertheless, your point about the risk to the integrity of our message is a good one. So I have to ask - how about working with OWASP and MediaWiki to get the changes you want implemented? Thanks! Thanks Josh! I think your basic point is right, and we should eat our own dogfood.

Please remember that OWASP is an an all volunteer organization operating on a shoestring budget. We *have* given considerable support to a huge range of open source projects, including MediaWiki, Spring, Hudson, and many others. You should know that we have invested pretty heavily in the security of the OWASP site, with hardening, patching, configuration, custom plugins, etc… but there’s obviously more we can do.

In the early years of OWASP, we spent almost all of our time working on building an uber-secure CMS, at a *serious* cost to actually achieving our mission. So I think there’s an important lesson for developers here that security is not black-and-white. You always have to balance the cost to the business against the investment in security…and if that’s what developers take away from the OWASP site then I think we’ve done something good. Nevertheless, your point about the risk to the integrity of our message is a good one.

So I have to ask – how about working with OWASP and MediaWiki to get the changes you want implemented?

Thanks!

]]> By: Michael Coates http://www.analyticalengine.net/archives/205/comment-page-1#comment-1314 Michael Coates Tue, 08 Dec 2009 19:44:46 +0000 http://www.analyticalengine.net/?p=205#comment-1314 Joshbw, OWASP is a non-profit organization completely run by volunteers who have the passion, skill and interest to pursue a particular area of application security for the betterment of everyone. As such, particular areas of OWASP have prospered due to a collaborative effort of generous volunteers. It sounds like you definitely have the passion and skill in this area and have highlighted an area which could be enhanced. Would you like to take the lead here and help the OWASP mission? -Michael Joshbw,
OWASP is a non-profit organization completely run by volunteers who have the passion, skill and interest to pursue a particular area of application security for the betterment of everyone. As such, particular areas of OWASP have prospered due to a collaborative effort of generous volunteers.

It sounds like you definitely have the passion and skill in this area and have highlighted an area which could be enhanced. Would you like to take the lead here and help the OWASP mission?

-Michael

]]>