By Kevin W
I recently read the following in an automatically generated report from a web application vulnerability scanner: “Encrypt the view state using 3DES or AES encryption to prevent the viewing of sensitive data and ensure that the ViewState machine authenticationorization check (MAC) is enabled to prevent tampering. Both of these can be done in the applications’ web.config file.”
According to MSDN, the correct term is machine authentication check. At first, you may think the scanner produced a typo in the report, as authentication and authorization can be easily confused. I wrote about the differences between authentication and authorization earlier in another blog post.
But I’ll let you in on a little secret; authenticationorization is actually part of an obscure technical writing technique. Authenticationorization is a highly specialized term for when you don’t understand a process well enough to determine if you actually mean authentication or authorization. The usage of authenticationorization is a very effective since it conveniently covers both options, enabling you to claim you meant the correct one when someone brings the “alleged” typo to your attention. Authenticationorization comes from the same family of terms as validerification and quantilification.
Humor aside, the real lesson here is not blindly trusting automatically generated reports; you must manually validate all of the scanners findings and proof read all of the automatically generated text. If you are not careful, you could look foolish in front of everyone on the intraternet… or is it intertranet? I always get those two confused.
—Kevin W., CISSP