WebApp Sec mailing list archives
Re: An Open Letter (and Challenge) to the Application Security Consortium
From: Jimi Thompson <jimi.thompson () gmail com>
Date: Sat, 20 Nov 2004 21:00:07 -0600
I need to agree that there needs to be some standards for "truth in advertising" for IT products. I've gotten to the point that I don't even want to talk to anyone's sales critters any more. I've asked more than one to leave and not come back because they told some real whoppers or offered me "gifts" in an effort to sell me me their product. There are too many vendors who send sales people out into the field and tell them to say "whatever it takes to close the deal".
From my perspective, if I'm spending $50K of my employer's money on
your product, either method is highly unethical. If your company is that poorly run, will you be around when I need service? If your company is that unethical, do I really want your product doing god knows what on my network? If your company has to resort to these kinds of practices to close a sale, how crappy is your product? If you want to sell me something, you had better give me the product in an unaltered state for 90-120 days and I'll tell you if I want it or not. No demo = no interest from me = no sale. This goes for more than just security products. We recently puchased a help desk type ticketing system for handling our internal work flow. 3 major vendors got cut out of the running because the only demo that they would give us was some flash or some other "precooked" demo on their web site. That doesn't cut it. I've been lied to far too many times to shuck out a single dollar of my employers money without a demo period on ANYTHING. What all the marketing wonks don't seem to get is that lying to techies is bad. It's bad because we WILL find out. Your Fantabulous SuperWidget2000 will fail to do something that you swore to me it would do or it will do something that you swore to me would never happen. Either way, the truth is coming out. Once I find out that your company's marketing materials lied to me, I assume that your whole company is populated with crooks and liars and I'll probably never do business with you again. If it's just one person, I can excuse that as ignorance, incompetence, etc, but the actual brochures, et. al. published by the company are a totally different issue. Let me explain to the marketing wonks what that means. I have an average working expectancy of 50 years. Average time on a job is 3.5 years. That means I'll hold 14 jobs in the course of my working life. If the average shop is 50 people., that's going to be 700 people who hear about my terrible experience every time your company's name is mentioned. Each and every one of those 700 will encounter an another 700 people in their working life as well and they'll repeat the story of my bad experience with those horrible liars. 2 cents, On Tue, 16 Nov 2004 18:19:23 -0800, ban.marketing.bs () hushmail com <ban.marketing.bs () hushmail com> wrote:
Fair call but isn't it also about time someone called BS on your members for the shiny red button marketing of app scanners? Point them at WebGoat, WebMaven, Hacme Bank and they all fail miserably. (Note they all pass their in-house written canned test apps though). I want to see some real test results for these things. My results show less that 1 in 10 issues in the real world. Thats horrible. I say good for OWASP for sticking up for the masses and calling BS where they see it. Please make sure you cover app scanners as well! Some people may have been under the impression that this letter was directed towards the "Web Application Security Consortium" (WASC) http://www.webappsec.org. To clarify, I believe this letter was meant for ANOTHER group including F5, Imperva, NetContinuum, and Teros. Specifically a challenge they sent to Check Point, Cisco, Juniper, McAfee and Symantec. Many industry acronyms are very close. Reference the following URL's for background. The press release found here: https://www.netcontinuum.com/newsroom/pressReleaseItem.cfm?uid=42 further industry coverage here: http://news.com.com/Group+aims+to+create+hallmark+of+security/2100- 1029_3-5443154.html and here: http://biz.yahoo.com/prnews/041109/sftu090_1.html Regards, Jeremiah Grossman On Monday, November 15, 2004, at 07:34 PM, The OWASP Project wrote:An Open Letter (and Challenge) to the Application SecurityConsortiumSince its inception in late 2000 the Open Web ApplicationSecurityProject (OWASP) has provided free and open tools anddocumentation toeducate people about the increasing threat of insecure web applications and web services. As a not-for-profit charitable foundation, one of our community responsibilities is to ensurethatfair and balanced information is available to companies andconsumers.Our work has become recommended reading by the Federal Trade Commission, VISA, the Defense Information Systems Agency and manyother commercial and government entities. The newly unveiled Application Security Consortium recentlyannounceda "Web Application Security Challenge" to other vendors at the Computer Security Institute (CSI) show in Washington, D.C. Thisgroupof security product vendors proposes to create a new minimumcriteriaand then rate their own products against it. The OWASP community is deeply concerned that this criteria will mislead consumers and result in a false sense of security. In theinterest of fairness, we believe the Application SecurityConsortiumshould disclose what security issues their products do notaddress.As a group with a wide range of international members fromleadingfinancial services organizations, pharmaceutical companies, manufacturing companies, services providers, and technologyvendors,we are constantly reminded about the diverse range ofvulnerabilitiesthat are present in web applications and web services. The verysmallselection of vulnerabilities you are proposing to become atestingcriteria are far from representative of what our members see inthereal world and therefore do not represent a fair or suitable testcriteria. In fact, it seems quite a coincidence that the issuesyouhave chosen seem to closely mirror the issues that yourtechnologycategory is typically able to detect, while ignoring very commonvulnerabilities that cause serious problems for companies. Robert Graham, Chief Scientist at Internet Security Systems,recentlycommented on application firewalls in an interview for CNET news.Whenasked the question "How important do you think applicationfirewallswill become in the future?" his answer was "Not very." "Let me give you an example of something that happened with me.Notlong ago, I ordered a plasma screen online, which was to beshipped bya local company in Atlanta. And the company gave me a six-digit shipping number. Accidentally, I typed in an incremental of my shipping number (on the online tracking Web site). Now, a six-digitnumber is a small number, so of course I got someone else's useraccount information. And the reason that happened was due to thewaythey've set up their user IDs, by incrementing from a six-digit number. So here's the irony: Their system may be socryptographicallysecure that (the) chances of an encrypted shipping number being cracked is lower than a meteor hitting the earth and wiping out civilization. Still, I could get at the next ID easily. There isnoapplication firewall that can solve this problem. Withapplicationsthat people are running on the Web, no amount of additive thingscancure fundamental problems that are already there in the firstplace."This story echoes some of the fundamental beliefs and wisdomshared bythe collective members of OWASP. Our experience shows that the problems we face with insecure software cannot be fixed with technology alone. Building secure software requires deep changesinour development culture, including people, processes, andtechnology.We challenge the members of the Application Security Consortiumtoaccept a fair evaluation of their products. OWASP will work withitsmembers (your customers) to create an open set of criteria thatisrepresentative of the web application and web services issuesfound inthe real world. OWASP will then build a web application thatcontainseach of these issues. The criteria and web application will be submitted to an independent testing company to evaluate yourproducts.You can submit your products to be tested against the criteria (without having prior access to the code) on the basis that the results are able to be published freely and will unabridged. We believe that this kind of marketing stunt is irresponsible andseverely distracts awareness from the real issues surrounding webapplication and web services security. Corporations need tounderstandthat they must build better software and not seek an elusivesilverbullet. We urge the Consortium not to go forward with their criteria, buttotake OWASP up on our offer to produce a meaningful standard andtestenvironment that are open and free for all. Contact: owasp () owasp org Website: www.owasp.orgConcerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427
-- Thanks, Jimi
Current thread:
- An Open Letter (and Challenge) to the Application Security Consortium The OWASP Project (Nov 15)
- Re: An Open Letter (and Challenge) to the Application Security Consortium Jeremiah Grossman (Nov 16)
- <Possible follow-ups>
- Re: An Open Letter (and Challenge) to the Application Security Consortium ban.marketing.bs (Nov 20)
- Re: An Open Letter (and Challenge) to the Application Security Consortium Jimi Thompson (Nov 22)