Add advice regarding Human Factors #13
Comments
|
While I don't disagree that human factors need accounting for I'm not sure this is specifically applicable to the Testing Guide project. |
|
This is a simple "duty of care" issue. The fines for getting this stuff wrong in the EU are now crippling, it's only going to take one lawsuit where the victim comes looking for the cause when you're going to realize it was prudent to warn those victims in advance about what your guide leaves out. Think about it this way: you're in an accident, and the life-support system keeping you alive was "signed off" for production after being tested with your guide. Do you want the compliance people to have tested all the known security oversights, or just the ones in your guide? If it's all, then your guide needs to tell them that it is not all. |
|
I'm sure it'll be suitably prefaced. It's a guide not a standard. Plus the day after it's published there'll be some new attack and hence test type that it fails to cover. |
|
@kingthorin I believe this can be added as part of what to look for. Like if it doesn't contain this, it can rank a low somewhere if the task is pretty heavy? Such as a transaction, or something similar. What do you think? |
ThunderSon
added
the
HacktoberFest
|
@kingthorin I am actually reconsidering this. First and foremost, I believe this issue needs rewording. Can you maybe help me do that? And are you 💯 with this issue? Would you like that we discuss it and see how it can be done to improve the guide, or just remove it? |
|
I'm happy to help with this. I wrote the pen-testing Guide for the Australian Trusted Digital Identity Framework, so much of the work needed is already done. I'm pretty busy though - can someone give me a heads-up on how and where this preface should go, and what I need to do to submit something for consideration? |
kingthorin
removed
the
HacktoberFest
|
Hi @gitcnd! I think this issue could make a useful addition to the Introduction section (2.x). Are you still interested in covering it? If so, might we start with a point-form list of the advice you'd like to cover? That way we can give some feedback with minimal time investment to start. |
victoriadrake
changed the title
|
Hi Victoria - sure; I will take a stab at some points. Can we also reword some things? e.g.: "This framework helps organizations test their web applications in order to build reliable and secure software." which is misleading. WE know that the sentence means "HELPS", but the consumers of this guide are not going to interpret that sentence that way - they're going to read "do this and you are secure"; and they're not going to understand that they've not yet considered more than half the problem. |
|
Here is an antique version from 13+ years ago:- (use the "Edit" link to view that - something turned my text into HTML without fixing the line endings) I'll do a newer one with updates and fixed formatting that stays on topic for you as well. |
|
@gitcnd any news/progress? |
|
@gitcnd any news/progress? |
|
It's actually a lot more work that I realized, plus I'm somewhat disillusioned because I've done similar things in the past and ended up having it all discarded by folk who over-zealously enforce scope-demarcation. My philosophy is "fix the problem", but 99% of the security world worships a different theme: "keep the scope so narrow that all holes are someone else's problem". (or, tin-foil-hat-on, they're enforcing a hidden nation-state agenda or protecting a commercial product that's insecure or making money from services based on the insecurity - you never can tell what the real reason is behind obvious security-reducing decisions these days). p.s. What's the answer to my question - is re-wording stuff that misleads the layperson on the agenda or not? |
|
Okay the core team can tackle it. There is a scope and it is a guide not a standard. Yes things can be re-worded. But, I don’t want you to end up feeling you’ve wasted time or effort. Thanks for your ideas and references so far! |
|
Just to add a bit on the above. Would you prefer working this with us? We can share ideas and thoughts between here and Slack, and then agree on what could be done and what could be accepted, without making it weight down on you. We wouldn't want that to happen to any contributor! |
|
Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors. |
kingthorin
added
the
HacktoberFest
kingthorin
removed
the
HacktoberFest
|
Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors. |
|
Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors. |
kingthorin
added
the
HacktoberFest
kingthorin
removed
the
HacktoberFest
|
Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors. |
More dangers than any problems this test might find, are the ones it's left out of scope (e.g. websites without MFA, or MFA without verier impersonation resistance, etc). The most expensive security oversight after malware is the people.
There needs to be a prevalent explanation to guide users that OWASP is only going to address less than half of their problems, and they need to pay serious consideration to design decisions and overall security effectiveness - not just web vulns.
We all know this, but users of this guide are almost certainly unaware of the other things they need to be thinking about. We owe it to them to point these out (if not also add some tests for them: for example - google-authenticator is useless if a phishing site proxies stolen credentials in real time, and 2FA in general is pointless for transactions in the face of malware, etc.)
The text was updated successfully, but these errors were encountered: