[132779] in cryptography@c2.net mail archive
Re: once more, with feeling.
daemon@ATHENA.MIT.EDU (Darren Lasko)
Mon Sep 8 18:13:40 2008
In-Reply-To: <48C57F7D.709@strongauth.com>
To: Arshad Noor <arshad.noor@strongauth.com>
Cc: cryptography@metzdowd.com, Paul Hoffman <paul.hoffman@vpnc.org>
From: Darren Lasko <dlasko@us.fujitsu.com>
Date: Mon, 8 Sep 2008 15:10:47 -0600
Arshad Noor wrote:
> A more optimal solution is to have this vulnerability accepted by
> the OWASP community as a "Top 10" security vulnerability; it will
> have the appropriate intended effect since mitigation to the OWASP
> defined vulnerabilities is required in PCI-DSS:
>
> "6.5 Develop all web applications based on secure coding guidelines
> such as the Open Web Application Security Project guidelines"
>
Isn't this vulnerability already in the Top 10, specifically "A7 - Broken
Authentication and Session Management" (
http://www.owasp.org/index.php/Top_10_2007-A7)?
>From the "Protection" section for A7:
"Do not allow the login process to start from an unencrypted page. Always
start the login process from a second, encrypted page with a fresh or new
session token to prevent credential or session stealing, phishing attacks
and session fixation attacks."
Best regards,
Darren Lasko
Principal Engineer
Advanced Development Group, Storage Products
Fujitsu Computer Products of America
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
