[WEB SECURITY] Application Security Hacking Videos
pauls at utdallas.edu
Fri Jun 2 11:50:56 EDT 2006
Mike Fratto wrote:
> I am going to go out on a limb here and assume you wouldn't buy any
> commercial products or deploy any open source then?
Really? Can you find a remotely exploitable security flaw in Postfix?
(You can search Securityfocus or google for it.)
How about Tippingpoint? ISS? Those are all products we use. Snort has
had two that I know about (the bo preprocessor overflow and the RPC
preprocessor overflow), but both were easily mitigated, unlike
> I can't think of a single security product that hasn't had some
> security issue. Can you name some?
There's a few. But there are some that stand out from the crowd and
others that seem to have problem after problem after problem. To me,
that's an indicator of code quality (or lack of same) and quality control.
> Ivan is right on the money. It's what a company does when notified
> about potential vulnerabilities that is important. Oracle is an
> example of a company with a horrid history of not fixing problems in a
> timely manner nor do they always fix problems prefering to fix
> symptoms. Litchfield and others have documented such. Microsoft, on
> the other hand, is much improved (and could use more) in their
> response to vulnerabilities since the days of telling the guys at the
> L0pth that a vulnerabiity was "theoretical." Both Oracle and MS have
> strong security in their messaging and have security products and I
> bet your organization has one or both running.
We have very few internet-addressable Windows servers (none in the
security department). We do have Oracle, but we wouldn't if I had
anything to say about it. It's a horrible product made by a company
with a horrible attitude about security flaws. We have zero security
products from MS or Oracle, unless you consider WSUS and SMS security
products. (I don't.)
Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5007 bytes
Desc: S/MIME Cryptographic Signature
More information about the websecurity