[WEB SECURITY] Application Security Hacking Videos

Brian Eaton eaton.lists at gmail.com
Thu Jun 1 21:19:56 EDT 2006


(Trimming Paul from the CC list, because he's grouchy enough as is.)

On 6/1/06, Paul Schmehl <pauls at utdallas.edu> wrote:
> The same is true for a development firm.  When programmers keep coding
> buffer overflows, technology isn't going to save you.  (Remember when
> Microsoft announced they had "eliminated buffer overflows in Windows XP"
> at their New York launch?  They bought a $10,000,000 tool that was
> supposed to go through the code and find them all.  Less than a month
> later eEye found the UPnP overflow - the most devastating single hole
> ever found in a Windows product.)

Right idea, wrong tool.  A better approach would have been to pick
their most exposed applications (IE, Outlook, anything with a
listening port) and rewrite them in .NET.

That's a long term solution to one particular type of vulnerability.
You just can't rewrite that many millions of lines of code overnight.
However, because of the switch to java and .NET, buffer overflows are
going the way of the dinosaur.  The same approach can be applied to
most of the other vulnerabilities you see exploited.  It's just
waiting for the right tools to become popular.

> You fix the people, or you'll never fix the problem.

And you think trying to improve programming languages is a tough task? ;-)

- Brian

----------------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list