Re: Brief analysis of "Analyzing Websites for User-Visible Security Design Flaws"

[InfoSec News <alerts () infosecnews org>]

Forwarded from: "Atul Prakash" <aprakash (at) eecs.umich.edu>
To: "security curmudgeon" <jericho (at) attrition.org>

Thanks for your comments. You may want to see the copy of the 
presentation and the videos from our presentation today at the symposium 
we will be posting - plan is to do it tomorrow.

Irrespective of the quibbles one may have with the study (and we 
disclose many limitations ourselves - that is the nature of research), 
the key point we want to make is that there is substantial scope for 
improvement in bank's web sites and we make specific recommendations. 
What we are hoping is that bank sites will become both easier to use and 
more secure for their customers as a result of this study.

We welcome other studies that look at more recent snapshots of bank 
sites. It would be great if there is a finding by others that the 
problems we observed have gone away.

We will post info on the presentation and videos at:

http://bankwebsecurity.blogspot.com



-- Atul


On Fri, Jul 25, 2008 at 11:05 AM, security curmudgeon <jericho (at) attrition.org> wrote:
> After being provided a link to the original paper and reading 
> additional comments, I wanted to follow-up to my original post [1] 
> with more thoughts. If you want the slightly more technical review, 
> search down to "methodology review". The paper in question is 
> "Analyzing Websites for User-Visible Security Design Flaws" by Laura 
> Falk, Atul Prakash and Kevin Borders [2]. I strongly encourage more 
> security professionals to provide peer scrutiny to security research 
> coming from universities.
>
> As was pointed out, the research was done in 2006 (testing in Nov/Dec) 
> but the results are just now being published. Three people working on 
> a study on 214 web sites should not take that long to publish. To wait 
> so long in publishing research on a topic like this, one must question 
> if it is responsible, or more to the point, relevant. In the world of 
> high end custom banking applications, my experience consulting for 
> such companies tells me that many will do periodic audits from third 
> parties and that these sites get continuous improvements and changes 
> every week. One of the web sites I use for personal banking has 
> changed dramatically in the last 12 months, making huge changes to the 
> functionality and presumably architecture, security and design.

[...]


_______________________________________________      
Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com