The Following Information Security Counter Arguments are Invalid

After bringing attention to the inability to terminate a session in some popular open source web application frameworks, many of the counterarguments fell into the following bins:

  1. We already knew about this
    Why is it still an issue? Too few people know about it; other developers, even users need to be informed and heard from.
  2. Developers already know about this
    They don’t, or they don’t care. They’re busy, rushed, and becoming an expert in your open source project is a lower priority than using it to accomplish whatever they’re being paid to deliver. Burying or omitting shortcomings in your project’s design only delays discovering them–the later: the worse, the angrier.
  3. Additional configuration is required to fully protect against this
    These additional protections are not being deployed. They also don’t provide 100% CYA.
  4. The issue isn’t sexy
    Basic issues are still issues. Basic issues that continue to exist are just embarrassing. Focusing on sexy helps no one.

We’re getting nowhere fast with this attitude.

Separately, there’s disagreement over this issue specifically and if it’s even a vulnerability. Well, the OWASP Top Ten will remain unchanged if we can’t even agree on whether this is a feature or a weakness.


Leave a Reply