Recently I was criticized as being overly pedantic for asking somebody to correct an example in their blogpost, where they used http rather than https to transmit a credit card number.
Sensitive Data Exposure is currently number 6 in OWASP’s Top Ten most critical web application security flaws. All of the items in the Top Ten are about more than preventing vulnerabilities, they are about managing risk.
There’s no evidence that the secure coding practices inspired by the OWASP Top 10 list have resulted in more secure web applications. Most likely because they are not followed.
PCI compliance— To be allowed to handle credit card numbers you need to comply with the PCI-DSS standards, this requires the secure transmission of the credit card number, among other things. Sending credit card numbers over http is a violation of 4.1
4.1 Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks.
And if you still think I’m being overly pedantic, have a look at HTTP Shaming. Programming needs more security pedantry.
By Daniël W. Crompton (@webhat), Director of Technology at Oplerno — a global institution empowering real-world practitioners, adjunct lecturers, professors, and aspiring instructors to offer affordable, accessible, high-quality education to students from all corners of the globe.
