Monday, May 14, 2007

Risky Business Podcast

Last week I did a second podcast interview with Patrick Gray of ITRadio.com.au. We primarily chatted about “The ethics of Web application security research, and liability concerns for consumers who bank online.” The message is starting to get out there about the new issues we face in webappsec with respect to disclosure and discovery. The game is definitely changing as people are becoming aware. Unfortunately there’s no easy answer to the challenges involved. We can only hope to continue participating in the dialog and hope that common sense practices prevails.

Also, I must have missed the Risky Business RSS feed the first time around, they have some good looking content available I’ll be trying to catch up on.

2 comments:

Chris_B said...

"ethics of Web application security research"? For the most part I'd say that this industry is desperately lacking in ethics.

I'll have to check the podcast to see what you said. I notice that an ethics practice statement is absent from www.whitehatsec.com.

Care to come clean in print as to what your personal ethics are in this matter?

Jeremiah Grossman said...

Hmmm, hadn't been asked that question in a while. I wish I had something eloquent from the marketing dept to rip from, but I don't. First I'm interested to know why you believe the industry is "desperately lacking in ethics." Not saying your right or wrong, just curious about why you think so. Is it just webappsec, or all of infosec?

And I found this statement odd... "Care to come clean...", I didn't realize I was dirty.

Anyway....

Corporate speaking, WhiteHat as policy does not test any websites without signed written consent from the person of authority. That should clear that up.

As for myself personally, I have been known to play in the gray area more than I should have in retrospect. But I also suppose this more common than not. However, its also been the reason I've be able to learn as much as I have, earn employment, and help many website owners in the process. So it would be hypocritical of me speak harshly against those who continue practice, instead I caution them about what "could" happen as things are evolving.

These days any extra curricular activities I participate in are usually through personal contacts I have at companies who share beta/test account with me on their web properties.

In exchange for me poking around learning and having a fun time, with nothing more than a nod of understanding, I privately disclose anything I might find and that has worked well for the both parties.

Google is a good example of this, but certainly not the only one
http://www.google.com/corporate/security.html