Patrick Toomey

CVSS – Vulnerability Scoring Gone Wrong

If you have been in the security space for any stretch of time you have undoubtedly run across the Common Vulnerability Scoring System (CVSS). CVSS attempts to provide an “objective” way to calculate a measure of risk associated with a given vulnerability based on a number of criteria the security community has deemed worthwhile. While I admire the goals of such a scoring system, in practice I think it falls short, and over-complicates the issue of assigning risk to vulnerabilities. You can read my full write-up on the topic here.

Ambiguous RFC Leads to Cross Site Scripting

Over the years I have noticed that IE exhibits some strange behavior with regard to how it does or does not URL encode certain characters within a HTTP GET/POST request. Nearly every browser in existence encodes “,<, and the > characters, while IE doesn’t. This doesn’t tend to matter, expect for when it does. When a query string is used to directly create a URL one must be aware that IE does not automatically encode ”, <, and >. At first I thought this was Mircrosoft not following the RFC, but it turns out it is probably just a poorly worded RFC. You can read my full write-up on the topic here.

“Secure by Default” Doesn’t Seem to Be ColdFusion’s Motto

Adobe doesn’t have the best reputation when it comes to security (i.e. Flash). Well, that reputation seems to go beyond Flash, as I have had an occasion recently to review several ColdFusion based applications. As much as ColdFusion eases the development of web applications for developers, it is doing them a disservice when it comes to publishing a “secure by default” platform. Abstracting security details away from developers can be a great thing, but not when the abstractions themselves are insecure.

How NOT to Build Your Client-server Security Architecture

It is funny how true the quote, “Those who cannot remember the past are condemned to repeat it.”, is. There was a time when many developers were developing client-server thick clients, as browsers were still nascent and/or didn’t exist. Many, though I hesitate to say most, even learned some design idioms related to securing client-server apps. We then moved on to the world of web applications, which themselves are a similar client-server architecture. But, I think enough time has passed that many that grew up in the world of web based client-server applications are bound to repeat the mistakes of old when it comes to developing thick clients. I can’t recall the last time I assessed a thick client application that didn’t suffer from some egregious design flaw that would have never been considered if it has been a web based application. Take a look at my latest blog post to for the specifics.