From: Jeff Williams (jeff.williamsowasp.org)
Date: Fri Mar 18 2005 - 15:20:49 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Getting security into the contract is easier said than done. That's why we
wrote the "Secure Software Development Contract Annex"
(http://www.owasp.org/documentation/legal.html). It's intended to help
software buyers and sellers have a conversation about security and get it
captured in their contract.

--Jeff

----- Original Message -----
From: "El C0chin0" <mr.nastyix.netcom.com>
To: <webappsecsecurityfocus.com>
Sent: Monday, March 14, 2005 4:52 PM
Subject: Re: Web security breach changes the lives of 119 people

> In-Reply-To:
> <63434C14F9A6F74CB36B85033E4C30CA0142C81Chermes.corp.cyveillance.com>
>
> You all make very good points. All of which I'm sure (sarcasm) was taken
> into account by Harvard. Seriously, the issue here isn't what the
> candidates did to 'hack' into the system is what Harvard IT department did
> not do to prevent it in the first place.
>
> We're talking Harvard here, one of the most prestigious business schools.
> They graduate some of the most highly sought after graduates in the
> country.
>
> Was there a serious thought to SDLC in the process of acquiring the
> contract with ApplyYourself.inc? If so then "Security" should have been
> one of the prerequisites in the contract. If so, then it should have been
> documented.
>
> Although it does appear that these students were a bit over zealous in
> trying to figure of weather they'd been accepted (human nature) the 'hack'
> was still there.
>
> Had the 'hack' not been publicly posted then Harvard would have never
> known?
>
> My point here is that Harvard is duly responsible for the breach. If there
> was no consideration for SECURITY during the SDLC then I hold them
> responsible. And as a Security Professional my opinion is that they
> failed.
>
> Now, just who would want to go to a school that can't practice what they
> teach?
>
> Personally, Harvard should lick their wounds, audit the process of
> contract acceptance, determine if SECURITY was part of the SDLC, fix the
> problem, and go on. Not admitting these students as a fix to their problem
> looks a lot like our current political environment has influenced our
> character.
>
>>From: "Bill Nichols" <BnicholsCyveillance.com>
>>To: <webappsecsecurityfocus.com>
>>
>>Actually, it appears that the exploit was on individual accounts that =
>>each required a separate login. Once (legally) logged into the =
>>application, users could then slightly modify the URL in the browser, =
>>and point to a page that only school officials were supposed to be able =
>>to access. In most cases, the result page was blank, since the schools =
>>had not yet posted their decision. Incredibly shoddy application design, =
>>but it makes it unlikely that one person performed multiple attempts. =20
>>
>>-----Original Message-----
>>From: Jason Coombs [mailto:jasoncscience.org]
>>Sent: Wednesday, March 09, 2005 7:35 PM
>>Subject: Re: Web security breach changes the lives of 119 people
>>
>>Chances are that nobody at Harvard Business School or ApplyYourself Inc. =
>>
>>bothered to contemplate the most obvious scenario: that somebody other=20
>>than the 119 accused, or their friends and family, was responsible for=20
>>the majority of (or all of) the attempts to access application records.
>>
>>What information of a personal nature would have been required in order=20
>>to access the pending application? Social Security Number? Perhaps it=20
>>was possible to browse any one of the pending applications once one had=20
>>penetrated the ApplyYourself Inc. security perimeter.
>>
>>Are 118 applicants being accused of hacking because of the actions of a=20
>>single applicant? This is more likely than is the scenario as it has=20
>>been depicted.
>>
>>Unfortunately, even Harvard Business School now believes, in the current =
>>
>>climate of mistrust and fraud in the U.S. Government and U.S.=20
>>marketplace, that it is more likely that the 119 applicants just=20
>>couldn't wait for their admission answers through proper channels.
>>
>>Common sense is dead. Long live the Internet.
>>
>>Regards,
>>
>>Jason Coombs
>>jasoncscience.org

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]