As a consultant, I spend a lot of my time working with organizations and staff to help them improve their security. I do this via a number of methods including consulting, penetration testing, training, and other services. But the foundation of what I do is explain the what, why, and how of information security. And lately I have seen a number of times where the security industry is actually making it harder. This is happening because (at least in my opinion) people are constantly trying to get their name or their company’s name into the public eye. (Of course I have to admit that posting this blog also attempts this for me and Secure Ideas <grin>).
Lately, and this isn’t new, we have started seeing a number of people or companies post blogs or articles about new vulnerabilities that aren’t really new. For example, just recently a company posted a blog about Blind XSS. In the article, they talk about a vulnerability that is persistent XSS, but they describe it as different because they just throw attack payloads into various parameters, hoping that it will get used later in the application. (Sounds like fuzzing for persistent XSS to me!)
Another example is the sheer number of new search strings we see finding problems. For example we have seen a ton of github searches which are the same as Google hacking. I bet the next run will be searches you can run against SharePoint!
So in conversations internally and with other security people, I think we need to build some type of standard to hold these new flaws against to determine if they are actually new flaws. At Secure Ideas, we think we can ask three simple questions and if the answer is yes to all three, then we have a new type of vulnerability. If not, then we have something else. Maybe it is a subtype, like reflected or persistent XSS. Or maybe we just have a flaw being found in a different way.
The three questions are as follows:
- Does the attack against the flaw use new payloads?
- Does the flaw have a new defense?
- Does the flaw effect a different technology?
While we don’t think that this idea will change the industry, we are looking for comments. Let us know at firstname.lastname@example.org
Kevin Johnson is the CEO of Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at email@example.com or visit the Secure Ideas – Professionally Evil site for services provided.