Word Notes 11.30.21
Ep 78 | 11.30.21

OWASP cryptographic failures (noun)


Rick Howard: The word is: OWASP cryptographic failures. 

Rick Howard: Spelled: O for open, W for web, A for application, S for security, P for project, cryptographic as in the art and science of code making, and failures for the inability to achieve a goal.  

Rick Howard: Definition: Code that fails to protect sensitive information.  

Rick Howard: Example sentence: Alan Turing and the team at Bletchley Park took advantage of a cryptographic failure during World War II when they broke the encryption scheme used by the German Enigma machine.  

Rick Howard: Origin and context: Dave Wickers and Jeff Williams, working for Aspect Security, a software consultancy company, published an education piece in 2003 on the top software security coding issues of the day. That eventually turned into the OWASP Top 10, a reference document describing the most critical security concerns for web applications.  

Rick Howard: Today, OWASP is an international volunteer team of security professionals led by the Foundation Executive Director and Top 10 project leader, Andrew van der Stock. OWASP is dedicated to enabling organizations to develop, purchase and maintain applications and APIs that can be trusted. Today, there are tens of thousands of members and hundreds of chapters worldwide. In 2021, OWASP published an updated list where they upgraded the old "Sensitive Data Exposure" label to Cryptographic Failures" and moved it up the priority list to number two.  

Rick Howard: Cryptographic failures result when software managing sensitive data in transit or at rest, such as passwords, credit card numbers, health records, and personal information leaves that data unprotected. For example, a website that doesn't enforce the Transport Layer Security protocol, or TLS, for all pages is a Cryptographic Failure. A web application that uses unsalted password generators is also a Cryptographic Failure. There are many more examples. The OWASP website describes these in detail and offers best practices for developers looking to improve their code.  

Rick Howard: Nerd reference: In January 2021, Andrew van der Stock explained the beginning of the Top 10 project, why the Top 10 lists have been consistently the same for almost 20 years, and the next steps the project will take to improve the list in the future.  

Andrew van der Stock: Back in the early days of OWASP, Dave Wickers and Jeff Williams, of Aspect Security, um, they decided to do an education piece: OWASP Top Security Risks. That very first one is the 2003 edition which most people don't even have a copy of. The one that really got traction was the 2004 edition the next year. And, um, it really did start with what did Aspect Securities see from their work? The surprising thing in many ways is that it hasn't really, truly changed overly much in terms of content. Like for example, injections have always been number one. The reality is that the first couple, the 2003 in 2004, were Jeff and Dave's best judgment and it's proven over a long period of time to be that. 

Andrew van der Stock: But in some ways, it looks like the top 10 is self-referential. People find the things in the OWASP top 10, because it's in the OWASP Top 10. And therefore the things in the top 10 will always be the top 10, and that's a bit of a disappointment. So we need to now spread our wings and really start to collaborate stronger with the OWASP proactive controls, frameworks, and develop those languages to start eliminating bug classes, rather than just simply saying these are bad items. 

Rick Howard: Word Notes is written by Nyla Gennaoui, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.