Thursday, June 28, 2007

reflecting on CSRF

As more light and heat is being generated by the release of (at least) 8 products being vulnerable to CSRF attacks, what surprised me more than the flaw existing practically everywhere was the (non-)response by supposed security vendors.

All software has bugs. It shouldn't be any big surprise to reveal that.

What keeps you ahead of the game is how you respond to bugs, including security holes, especially for security vendors.

Yet, besides Check Point, their reaction seems to have been to cover their ears and pretend it didn't happen. One vendor claimed to have filed "a formal complaint with CERT"; we'll get out more about that one later. :)