[132780] in cryptography@c2.net mail archive
Re: once more, with feeling.
daemon@ATHENA.MIT.EDU (Arshad Noor)
Mon Sep 8 18:14:17 2008
Date: Mon, 08 Sep 2008 14:32:40 -0700
From: Arshad Noor <arshad.noor@strongauth.com>
To: Darren Lasko <dlasko@us.fujitsu.com>
CC: cryptography@metzdowd.com, Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <OF387C0CDA.6CB40CFD-ON872574BE.0073E457-872574BE.00745BE3@fcpa.fujitsu.com>
Darren Lasko wrote:
> Arshad Noor wrote:
>>
>> "6.5 Develop all web applications based on secure coding guidelines
>> such as the Open Web Application Security Project guidelines"
>>
>
> Isn't this vulnerability already in the Top 10, specifically "A7 - Broken
> Authentication and Session Management" (
> http://www.owasp.org/index.php/Top_10_2007-A7)?
>
I was just informed of this 10 minutes ago, privately.
Not sure how I missed this the last time I read the document
(perhaps because I was focusing on remediating an application
related to two other vulnerabilities on a project), but the
bank examiners also apparently missed this for Wachovia.
While login pages are not required to be PCI-DSS compliant
(since they generally do not deal with credit card numbers,
it has been my impression that many companies are adopting
OWASP guidelines for all their web-projects. Perhaps its
taking time for some more than others.
Arshad Noor
StrongAuth, Inc.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
