Monday, July 07, 2008

Some unanswered questions

Some thoughts from over the holiday weekend.

1) Is time (adding or taking away) the only defense against web application timing attacks?
2) What good is using SSL to encrypt usernames/passwords when all other sensitive data is not?
3) Who is getting fined for how much due to lack of PCI-DSS compliance?
4) If automated vulnerability scanning of an application is a test of the tools intelligence, is manual testing a test of the human's intelligence?
5) When oh when will the TCv2 finally be finished!? :)

11 comments:

Robert said...

The TCv2 will be done when it is ready and not any sooner :)

Robert said...

Oh and we're looking for volunteers to help with authoring sections and peer review. Please email robert_@_webappsec.org (without the _'s) with the subject 'I would like to contribute towards the TCv2' as the subject.

Christian said...

2) I agree that if you only encrypt the authentication channel but leave all other channels unencrypted, especially those containing sensitive data, that you haven't thoroughly addressed the risk. You have mitigated _some_ of the weaknesses though, but not enough (imho).

4) Is the effectiveness of an automated tool really a test of it's intelligence? Can any tool really be intelligent? I'm of the belief that a tool in the hand of an unintelligent person*, regardless of how good the tool is, will still prove to be ineffective.

*nb: unintelligent person doesn't mean low IQ or anything. That could mean anything, including someone who is rushing to meet deadlines for example.

Arshan Dabirsiaghi said...

4) You can't really anthropomorphize the tools in this space. Although they've got some facets of "learning", the constructs are essentially static.

For the record, I think manual testing reflects 4 things (in no particular order):
1) tester's intelligence
2) tester's creativity
3) tester's training
4) tester's process

Jeremiah Grossman said...

"anthropomorphize" word of the day? :) I had to go look it up. ahahah.

Christian said...

I like and agree with what Arshan was saying with regard to what manual testing reflects.

Jeremiah Grossman said...

Its kinda funny. You think you are testing a website, but at the same time its testing you as well.

Christian said...

@jeremiah Okay. Are you trying to scare me? I haven't even had my morning coffee yet.

Jeremiah Grossman said...

HAH. I'm thinking it would be classic if at the end the website generated a report on your intelligence. :)

Christian said...

@jeremiah: Dear Pentester, our results show that you have an IQ of approximately 120. You have perhaps attended SANS 538 and you appear to be following the OWASP Testing Guide process with about 80% accuracy.

Alexander Berezhnoy said...

Wow, it's a great idea.
Imagine a pentester's training server which calculates tests coverage and sums the results.

That's much more funny than those "choose a variant" tests.

That kind of a server must be quite intelligent itself, though.