I was informed of one, and discovered another example of a similar policy and I'm proud to say there are now several more policies like PayPal's:
If anyone knows of others, please let me know as I'd going to try to keep a running list.
Feeds
10015 items (0 unread) in 75 feeds
-
Watchfire Application Security Insider
-
BlogSecurity
-
sirdarckcat
-
Google Online Security Blog
-
CGISecurity.com: Your Web Site and Application Security Resource
-
Switch/Twitch
-
mybeNi websecurity
-
cat slave diary
-
SecuriTeam Blogs
-
Curiouser and Curiouser
-
Alex's Corner
-
Billy (BK) Rios
-
Chris Shiflett
-
christian's weblog
-
funkatron.com
-
GNUCITIZEN
-
The Spanner
-
hackademix.net
-
Ruby on Rails Security Project
-
It's a shampoo world anyway
-
Web Security Blog
-
ha.ckers.org web application security lab
-
Yet Another Infosec Blog
-
PHP Security Blog
-
Security Thoughts
-
Sunnet Beskerming Security Advisories
-
Disenchant's Blog
-
Sylvan von Stuppe
-
Larholm.com
-
The Turkey Curse
-
Jeremiah Grossman
-
Anurag Agarwal - Application Security Evangelist
-
Ivan Ristic
-
deep inside | security & tools
-
omg.wtf.bbq.
-
BlueHat Security Briefings
-
Tactical Web Application Security
-
.:Computer Defense:.
-
tssci security
-
Plynt Penetration Testing Blog
-
Michael Howard's Web Log
-
Security Retentive
-
BindShell.Net
-
Dominic White's .tHE pRODUCT
-
SecurityFocus News
-
Justice League
-
Schneier on Security
-
Rational Survivability
-
terminal23
-
1 Raindrop
-
hiredhacker.com
-
Matasano Chargen
-
-
Michael on Security - Musings on Information Security
-
Fortify blog
-
The Art of Software Security Assessment
-
GDS Security Blog
-
Vodun.org
-
Robert Penz Blog
-
Mark Curphey - SecurityBuddha.com
-
Liminal states
-
Security Ripcord
-
ModSecurity Blog
-
IBM Internet Security Systems Frequency X Blog
-
Suspekt...
-
extern blog SensePost;
-
Zero in a bit
Security Retentive
-
Security Disclosure Policies That Remove Chilling Effects
Posted: December 28th, 2009, 9:55am CST by Security Retentive
Tags: [edit]
As I have discussed before, PayPal has published a vulnerability disclosure policy that attempts to remove chilling effects for researchers wishing to responsibly disclose a security vulnerability. Until today I thought that PayPal and Microsoft were alone in having policies that explicitly gave security waivers to security researchers who practiced responsible disclosure.
I was informed of one, and discovered another example of a similar policy and I'm proud to say there are now several more policies like PayPal's:
If anyone knows of others, please let me know as I'd going to try to keep a running list. -
Best Security Improvements in 2009?
Posted: December 18th, 2009, 9:05am CST by Security Retentive
Tags: [edit]
Taking a cue from Jeremiah's list of new 2009 hacking techniques I thought I'd start a list of best improvements in security in 2009.
So far I haven't come up with many substantial improvements, but I do have a starter list in no particular.
[Updated list based on Jeremiah's recommendations]
- IE8 removed CSS expressions support
- Rails now does output escaping by default?
- The new STS header.
- Firefox checks for updates to plugins
- Mozilla Content Security Policy (CSP)
- Microsoft IE8 X-Frame-Options anti-framing header
Your recommendations welcomed. -
Announcing Strict-Transport-Security Support on www.paypal.com
Posted: November 6th, 2009, 7:32am CST by Security Retentive
Tags: [edit]
Cross-posting from here from my other blog.
I'm pleased to announce that PayPal is the first major internet site to implement the draft Strict-Transport-Security standard. As of Friday November 6th, 2009 PayPal is supporting the Strict-Transport-Security (STS) mode on our main website, https://www.paypal.com.
Continued here..... -
Ethics and Security Research
Posted: October 23rd, 2009, 10:02am CDT by Security Retentive
Tags: [edit]
-
OWASP Podcast is Online
Posted: October 8th, 2009, 2:42am CDT by Security Retentive
Tags: [edit]
Jim Manico interviewed me for the OWASP Podcast series and interview has now been posted. It was only the second podcast I've done, hopefully a good listen.
Jim is great to work with btw, and very corporate PR conscious, so if he approaches you don't hesitate. -
Judge officially Reverses Drew Conviction
Posted: August 31st, 2009, 3:52am CDT by Security Retentive
Tags: [edit]
In case you weren't following the Lori crew case she had been convicted of of misdemeanor for violating the Computer Fraud and Abuse Act (CFAA) by violating the terms of service of MySpace when she created her account.
The judge has just recently overturned the conviction. Analysis and coverage from several places.
- Judge Officially Reverses Lori Drew’s Conviction
- Lori Drew Opinion Handed Down -- Judge Grants Motion To Dismiss on Vagueness Grounds
- Lori Drew Opinion
-
Important Legal Decision Regarding the Fourth Amendment and the Plain View Exception
Posted: August 28th, 2009, 5:32am CDT by Security Retentive
Tags: law [edit]
Some interesting discussion this week of a case recently decided in the Ninth Circuit. The case is "United States v Comprehensive Drug Testing". The decision is here.
Essentially the Ninth circuit is trying to proactively eliminate the plain view exception to warrant requirements under the fourth amendment when applied to computer searches.
I can't do the decision justice or put it in context. I recommend reading the following posts if you're interested in learning more. Some excellent discussion topics on the first blog post below.
-
How the Ninth Circuit Tried To End Plain View for Computer Searches Without Ending Plain View for Computer Searches.
- Beyond A-Rod and ManRam: Plain Talk on the ‘Plain View Doctrine
Personally, I think this is a pretty good idea, we'll just have to see whether it passes muster constitutionally. -
How the Ninth Circuit Tried To End Plain View for Computer Searches Without Ending Plain View for Computer Searches.
-
[Offtopic] Friday Fun - Sheep Art
Posted: August 7th, 2009, 9:43am CDT by Security Retentive
Tags: [edit]
-
Extortion or Responsible Disclosure?
Posted: August 3rd, 2009, 4:12am CDT by Security Retentive
Tags: [edit]
I was just reading an article in Wired - "Electronic High-Security Locks Easily Defeated at DefCon".
A quote from the article:
The lock makers say they can’t respond to the issues Tobias is raising until he tells them exactly how his attacks work. But before he’s willing to give them the details, Tobias has insisted the makers agree to fix the vulnerable locks retroactively with no cost to customers who have already purchased them. Something they refuse.
It got me thinking - I've never heard of anyone doing this in the software world. For those who just have a website, I suppose this kind of threat isn't too big a deal. Most reasonable software vendors provide patching on an ongoing basis, but for those who don't, is anyone aware of any cases like this? A researcher requiring the vendor to promise to fix the product before they disclose the defect? -
Software Assumptions Lead to Preventable Errors
Posted: August 3rd, 2009, 3:25am CDT by Security Retentive
Tags: [edit]
Here is a paper I co-wrote with Gunnar Peterson for the IEEE Security and Privacy Magazine. The title is pretty much the subject of the piece - how assumptions in the development process, and the associated lack of documentation and explicit statement of those assumptions, leads to preventable errors. We cover some techniques for documenting assumptions across a number of areas of the product lifecycle. Hopefully there are a few ideas here about formally documenting assumptions that you'll find useful.
Note: This article is Copyright IEEE and was originally published in IEEE Security &
Privacy magazine, vol. 7, no. 4, 2009, pp. 84-87.
