• CSRF doesn’t matter?? The sky is falling!

    15 Apr 2010

    Here’s a great piece where something I wrote put a grown man with a hacker handle’s boxers in a bunch. With all due respect to what Robert has contributed to our field, he is missing the point of my 8 sentence statement about cross-site request forgery (CSRF) not being a top priority (formerly published on SearchSoftwareQuality.com). It reminds of me when I wrote about Changes coming to the OWASP Top 10 in 2010. [Boy, some of the “leet” in our field get cranky in a hurry when you say anything that’s contrary to their experience!]

    What I said was based on what I’m seeing in my work I don’t think CSRF is as big of a deal – or perhaps I should say as top of a priority – as some of the vendors and Top 10 lists characterize it.

    Sure, CSRF is still an issue…but what’s the context? What’s the perspective? What systems or sensitive information are being placed at risk? How does it affect the business? Based on what I see it’s just not there and when it is, it’s usually not as big of a deal as many of the other Web security gaffes we really should be focusing our efforts on.

    Robert’s blind railing against what I said is overlooks my consistent rants I have about NOT relying on tools to find security flaws like what I wrote about here and here and here and here and here. But who am I to question things…

    It’s so funny how some people worry about picking knits when there’s an elephant in the room. It’s all about priorities folks – we have to prioritize things and focus on the urgent and the important. If you find CSRF that’s creating an urgent situation, then you better address it quick! Likewise with XSS, SQL injection, weak passwords, authentication mechanism flaws, and so on. But you’ve got to focus on what matters to your business in the context of your business – not just what some vendor, Top 10 list, or blogger says is important. Every situation – every application – is different.

    There’s something about our field – I’ve met many people over the years who like to find any flaw they can that’s even remotely exploitable – regardless of whether or not it really matters in the grand scheme of things – and make a big deal out of it to justify their expertise and their existence. Given all the issues we face in information security today, that approach just doesn’t add up.