7 Deadly Sins of Website Vulnerability Disclosure

The security specialist, Jeremiah Grossman, discusses "7 Deadly Sins of Website Vulnerability Disclosure" including Pride, Wrath, Desertion, Blame, Arrogance, Sloth, and Uncommunicative. His advice on arrogance is particularly poignant:

Dismissing or reprioritizing a vulnerability disclosure because a website uses SSL, is PCI compliant, or sports a HackerSafe logo is absurd. Compliance != Security. These credentials will not ward off the bad guys or prevent an incident from occurring. In fact, it might attract new attackers because it represents an interesting challenge. Compliance standards are typically a minimum baseline, and the skill of the average hacker (good, bad, or gray) easily outpaces the required security measures. Mandating security throughout the SDLC does not result in perfect code. Protecting a website is very difficult as you have to defend against all issues all the time. Someone on the outside only needs to find ONE issue to place the odds in their favor.

7 Deadly Sins of Website Vulnerability Disclosure - [Blogspot Jeremiah Grossman]

Originally posted on Fri Jul 6, 2007