[WEB SECURITY] Application Security Hacking Videos

Mike Fratto mfratto at gmail.com
Fri Jun 2 10:18:52 EDT 2006


> BTW, there are security companies that I will not even consider
> purchasing prodcuts from simply because they have had remote exploit
> vulnerabilities in their code.  I can assure you I'm not alone.  As more
> of us practitioners begin to cull the poorly programmed applications
> from our purchase mix, we will weed out the bad programmers ourselves.

I am going to go out on a limb here and assume you wouldn't buy any
commercial products or deploy any open source then?

I can't think of a single security product that hasn't had some
security issue. Can you name some?

Ivan is right on the money. It's what a company does when notified
about potential vulnerabilities that is important. Oracle is an
example of a company with a horrid history of not fixing problems in a
timely manner nor do they always fix problems prefering to fix
symptoms. Litchfield and others have documented such. Microsoft, on
the other hand, is much improved (and could use more) in their
response to vulnerabilities since the days of telling the guys at the
L0pth that a vulnerabiity was "theoretical." Both Oracle and MS have
strong security in their messaging and have security products and I
bet your organization has one or both running.

----------------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list