IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Open Forum / Re: Nobody could have predicted an SQL Injection attack.
Post #343,751
by malraux
Picture of malraux
6/15/11 11:29:24 AM
Reply
New Re: Nobody could have predicted an SQL Injection attack.
https://www.owasp.or...P_Top_Ten_Project
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
Post #343,752
by Another Scott
6/15/11 11:39:42 AM
6/15/11 11:44:16 AM
Reply
New Hmmm....
Thanks for the link. I hope it gets more visibility.

I chuckled, though, when I saw this:

Users and Adopters

The U.S. Federal Trade Commission strongly recommends that all companies use the OWASP Top Ten and ensure that their partners do the same. In addition, the U.S. Defense Information Systems Agency (DISA) has listed the OWASP Top Ten as key best practices that should be used as part of the DoD Information Assurance Certification and Accreditation Process (DIACAP).

In the commercial market, the Payment Card Industry (PCI) standard has adopted the OWASP Top Ten, and requires (among other things) that all merchants get a security code review for all their custom code. In addition, a broad range of companies and agencies around the globe are also using the OWASP Top Ten, including:

A.G. Edwards
Bank of Newport
Best Software
British Telecom
Bureau of Alcohol, Tobacco, and Firearms (ATF)
Citibank

[...]


Hmmm.

[edit:] TheReg has more - http://www.theregist...site_hack_simple/ (via the OWASP News page)

Cheers,
Scott.
Expand Edited by Another Scott June 15, 2011, 11:44:16 AM EDT
Expand All History
Post #343,753
by malraux
Picture of malraux
6/15/11 11:41:30 AM
Reply
New There is a difference...
... between management thinking they are using it, and the developers actually living it.
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
Post #343,754
by Another Scott
6/15/11 11:47:08 AM
Reply
New Could be they only used it in some places.
E.g. they might use it for CC transactions but not on the web interface for personal retail banking. As others have commented, they're no doubt much more careful in their CEO's personnel records and the CDS business security than they apparently are in dealing with their lowly customers' info... :-/

Cheers,
Scott.
     Citigroup hackers used trivial technique - (jay) - (14) - June 15, 2011, 09:43:10 AM EDT
         Are you kidding me? - (malraux) - June 15, 2011, 10:34:00 AM EDT
         Nobody could have predicted an SQL Injection attack. - (Another Scott) - (9) - June 15, 2011, 10:41:58 AM EDT
             Re: Nobody could have predicted an SQL Injection attack. - (malraux) - (3) - June 15, 2011, 11:29:24 AM EDT
                 Hmmm.... - (Another Scott) - (2) - June 15, 2011, 11:44:16 AM EDT
                     There is a difference... - (malraux) - (1) - June 15, 2011, 11:41:30 AM EDT
                         Could be they only used it in some places. - (Another Scott) - June 15, 2011, 11:47:08 AM EDT
             Calling this SQL injection implies too much skill - (jay) - (1) - June 15, 2011, 01:12:44 PM EDT
                 No, they did that too. - (malraux) - June 15, 2011, 03:35:44 PM EDT
             Hogwash (responding to the subject line.) - (Steve Lowe) - (2) - June 16, 2011, 02:09:17 AM EDT
                 Understood. - (Another Scott) - (1) - June 16, 2011, 10:15:02 AM EDT
                     :) -NT - (Steve Lowe) - June 16, 2011, 08:34:22 PM EDT
         I'd hate to be the PCI Auditors - (folkert) - (1) - June 15, 2011, 08:11:42 PM EDT
             Oooh... good point. -NT - (static) - June 16, 2011, 05:12:48 AM EDT
         Interesting comment to the legal folk - (Ashton) - June 17, 2011, 04:53:23 AM EDT

Yeah, let's watch the lamp. It's more fun and less predictable.
70 ms