[WEB SECURITY] Application Security Hacking Videos

Paul Schmehl pauls at utdallas.edu
Fri Jun 2 11:50:56 EDT 2006

Mike Fratto wrote:
> I am going to go out on a limb here and assume you wouldn't buy any
> commercial products or deploy any open source then?
Really?  Can you find a remotely exploitable security flaw in Postfix? 
(You can search Securityfocus or google for it.)

How about Tippingpoint?  ISS?  Those are all products we use.  Snort has 
had two that I know about (the bo preprocessor overflow and the RPC 
preprocessor overflow), but both were easily mitigated, unlike 
commercial products.

> I can't think of a single security product that hasn't had some
> security issue. Can you name some?
There's a few.  But there are some that stand out from the crowd and 
others that seem to have problem after problem after problem.  To me, 
that's an indicator of code quality (or lack of same) and quality control.

> Ivan is right on the money. It's what a company does when notified
> about potential vulnerabilities that is important. Oracle is an
> example of a company with a horrid history of not fixing problems in a
> timely manner nor do they always fix problems prefering to fix
> symptoms. Litchfield and others have documented such. Microsoft, on
> the other hand, is much improved (and could use more) in their
> response to vulnerabilities since the days of telling the guys at the
> L0pth that a vulnerabiity was "theoretical." Both Oracle and MS have
> strong security in their messaging and have security products and I
> bet your organization has one or both running.
We have very few internet-addressable Windows servers (none in the 
security department).  We do have Oracle, but we wouldn't if I had 
anything to say about it.  It's a horrible product made by a company 
with a horrible attitude about security flaws.  We have zero security 
products from MS or Oracle, unless you consider WSUS and SMS security 
products.  (I don't.)

Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5007 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060602/ae1aec3d/attachment.p7s>

More information about the websecurity mailing list