once more, with feeling.
Arshad Noor
arshad.noor at strongauth.com
Mon Sep 8 17:32:40 EDT 2008
Darren Lasko wrote:
> Arshad Noor wrote:
>>
>> "6.5 Develop all web applications based on secure coding guidelines
>> such as the Open Web Application Security Project guidelines"
>>
>
> Isn't this vulnerability already in the Top 10, specifically "A7 - Broken
> Authentication and Session Management" (
> http://www.owasp.org/index.php/Top_10_2007-A7)?
>
I was just informed of this 10 minutes ago, privately.
Not sure how I missed this the last time I read the document
(perhaps because I was focusing on remediating an application
related to two other vulnerabilities on a project), but the
bank examiners also apparently missed this for Wachovia.
While login pages are not required to be PCI-DSS compliant
(since they generally do not deal with credit card numbers,
it has been my impression that many companies are adopting
OWASP guidelines for all their web-projects. Perhaps its
taking time for some more than others.
Arshad Noor
StrongAuth, Inc.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list