Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Security's #1 Problem: Economic Incentives
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
rrwillsher1974
50%
50%
rrwillsher1974,
User Rank: Apprentice
9/25/2017 | 10:27:44 AM
internet sercruits
its very smimple to fix all you have to do is get an audit done and emprove on the ave score 200/400. to do this to a score off 400 would stop alot off pppl useing the cracks in programs to do whot ever thay do.

also ppl are not useing a direct attack on ppl but rather useing other ppls web sites we vist as a point off entry ie cookies,poor audit scores, paying for ur padlock form digigroup and not doing your job properly.

you all are lasy devs and programers just because a program says it ok doesnt mean ur dont ur job.
martin.george
50%
50%
martin.george,
User Rank: Apprentice
9/25/2017 | 11:17:12 AM
Great post
That is totaly great est post I have seen here) 
xanthan99
100%
0%
xanthan99,
User Rank: Strategist
9/25/2017 | 3:41:11 PM
New Problem same discussion
This article brings back memories of numerous discussions from 15-20 years ago about how to adhere to the SDLC in the fast paced world of the Internet.  I'm not truely sure we ever came up with a solution for that either, reference the iOS 11 update over the weekend.  Security can't be something we leave to the whim of happenstance theory.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/26/2017 | 2:34:42 PM
Software development
I would agree with the article. There has to be a better way to develop application so there is incentive to develop secure applications.
Dr.T
0%
100%
Dr.T,
User Rank: Ninja
9/26/2017 | 2:37:09 PM
Re: internet sercruits
its very smimple to fix all you have to do is get an audit done and emprove on the ave score 200/400 It makes sense however most audit would not catch most vulnerabilities. It needs to be intensive pen test.
Dr.T
0%
100%
Dr.T,
User Rank: Ninja
9/26/2017 | 2:38:42 PM
Re: internet sercruits
you all are lasy devs and programers just because a program says it ok doesnt mean ur dont ur job. That might be true, mostly less about laziness more about not having enough time to check and re-check.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
9/26/2017 | 2:39:30 PM
Re: Great post
Yes, it is a great article pointing out major loop in whole software development process.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
9/26/2017 | 2:41:09 PM
Re: New Problem same discussion
This article brings back memories of numerous discussions from 15-20 years ago about how to adhere to the SDLC in the fast paced world of the Internet I would agree. It is an old question without a proper answer yet.
rrwillsher1974
50%
50%
rrwillsher1974,
User Rank: Apprentice
9/26/2017 | 3:06:49 PM
Re: internet sercruits
It's simple just ask there will be a nominal cost, overheads and expenses
jacekmaterna
100%
0%
jacekmaterna,
User Rank: Apprentice
9/27/2017 | 11:27:04 AM
moving security to the "left" in SDLC will never occur without $ incentives-
Security in the SDLC has long be an after-thought. Why would it be any different? Business owners are rewarded for KPis on speed and releases over quality. Few firms today operate in reverse. Why? Because the marketplace demands more speed and more features faster than the day before. Impossible to change that macro environment. Best that could happen is that some combo of regulation comes in to move risk management and security to the "left" - its 10x cheaper to find issues in the source code than when to do it after the products are deployed globally, etc. Human nature will always take least resistent path. I am no fan of regulation but in this case there needs to be some to create value in security in the SDLC - incentive via $$ impact will get business owmners attention. GDPR is a great step- it has real teeth (albeit being super vague).
Page 1 / 2   >   >>


Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-18661
PUBLISHED: 2021-06-24
Cross Site Scripting (XSS) vulnerability in gnuboard5 <=v5.3.2.8 via the url parameter to bbs/login.php.
CVE-2020-21787
PUBLISHED: 2021-06-24
CRMEB 3.1.0+ is vulnerable to File Upload Getshell via /crmeb/crmeb/services/UploadService.php.
CVE-2020-21788
PUBLISHED: 2021-06-24
In CRMEB 3.1.0+ strict domain name filtering leads to SSRF(Server-Side Request Forgery). The vulnerable code is in file /crmeb/app/admin/controller/store/CopyTaobao.php.
CVE-2021-23398
PUBLISHED: 2021-06-24
All versions of package react-bootstrap-table are vulnerable to Cross-site Scripting (XSS) via the dataFormat parameter. The problem is triggered when an invalid React element is returned, leading to dangerouslySetInnerHTML being used, which does not sanitize the output.
CVE-2021-33348
PUBLISHED: 2021-06-24
An issue was discovered in JFinal framework v4.9.10 and below. The "set" method of the "Controller" class of jfinal framework is not strictly filtered, which will lead to XSS vulnerabilities in some cases.