Catch Denim Group at RSA – Booth 3440

Authenticationorization: The Importance of Proof-reading

 

By Kevin W

I recently read the following in an automatically generated report from a web application vulnerability scanner: “Encrypt the view state using 3DES or AES encryption to prevent the viewing of sensitive data and ensure that the ViewState machine authenticationorization check (MAC) is enabled to prevent tampering.  Both of these can be done in the applications’ web.config file.”

 

According to MSDN, the correct term is machine authentication check. At first, you may think the scanner produced a typo in the report, as authentication and authorization can be easily confused.  I wrote about the differences between authentication and authorization earlier in another blog post.

 

But I’ll let you in on a little secret; authenticationorization is actually part of an obscure technical writing technique. Authenticationorization is a highly specialized term for when you don’t understand a process well enough to determine if you actually mean authentication or authorization. The usage of authenticationorization is a very effective since it conveniently covers both options, enabling you to claim you meant the correct one when someone brings the “alleged” typo to your attention. Authenticationorization comes from the same family of terms as validerification and quantilification.

 

Humor aside, the real lesson here is not blindly trusting automatically generated reports; you must manually validate all of the scanners findings and proof read all of the automatically generated text. If you are not careful, you could look foolish in front of everyone on the intraternet… or is it intertranet?  I always get those two confused.

 

—Kevin W., CISSP

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *