[WEB SECURITY] Application Security Hacking Videos

Joseph Peloquin jpelo1 at jcpenney.com
Fri Jun 2 12:40:35 EDT 2006

Paul, let me say first that I've been reading your posts and articles
for years, live in the "Metroplex" myself, and have a lot of respect for

With regard to the topic at hand, however, I disagree with you and agree
with the gentleman that is happy to work with a company that
acknowledges its vulnerabilities and publishes fixes in a timely manner.

We all know the tendancy for security to take a back-seat to business.
In a perfect world, we'd see security built-in to the SDL for any type
of application, security product or not.  The fact of the matter is
shareholders, time-to-market, and many other factors lead businesses to
cut corners.  I can tolerate this, even in my security products, so long
as the vendor is responsive and remediates vulnerabilities in a timely

That said, I use ISS and TippingPoint products, and they are not "bullet

I'm not going through the entire database, but Secunia has a few on ISS;

Albeit it's in the SMS, not the IPS itself, and severity-level aside, TP
has one lately;

Having just completed evaluating TP in January, I also know about the
tiny-fragment evasion issue from last fall, which was also fixed very

Joey Peloquin 

|-----Original Message-----
|From: Paul Schmehl [mailto:pauls at utdallas.edu] 
|Sent: Friday, June 02, 2006 10:51 AM
|To: Mike Fratto
|Cc: websecurity at webappsec.org
|Subject: Re: [WEB SECURITY] Application Security Hacking Videos
|Mike Fratto wrote:
|> I am going to go out on a limb here and assume you wouldn't buy any 
|> commercial products or deploy any open source then?
|Really?  Can you find a remotely exploitable security flaw in Postfix? 
|(You can search Securityfocus or google for it.)
|How about Tippingpoint?  ISS?  Those are all products we use.  
|Snort has had two that I know about (the bo preprocessor 
|overflow and the RPC preprocessor overflow), but both were 
|easily mitigated, unlike commercial products.
|> I can't think of a single security product that hasn't had some 
|> security issue. Can you name some?
|There's a few.  But there are some that stand out from the 
|crowd and others that seem to have problem after problem after 
|problem.  To me, that's an indicator of code quality (or lack 
|of same) and quality control.
|> Ivan is right on the money. It's what a company does when notified 
|> about potential vulnerabilities that is important. Oracle is an 
|> example of a company with a horrid history of not fixing 
|problems in a 
|> timely manner nor do they always fix problems prefering to fix 
|> symptoms. Litchfield and others have documented such. Microsoft, on 
|> the other hand, is much improved (and could use more) in their 
|> response to vulnerabilities since the days of telling the 
|guys at the 
|> L0pth that a vulnerabiity was "theoretical." Both Oracle and MS have 
|> strong security in their messaging and have security products and I 
|> bet your organization has one or both running.
|We have very few internet-addressable Windows servers (none in 
|the security department).  We do have Oracle, but we wouldn't 
|if I had anything to say about it.  It's a horrible product 
|made by a company with a horrible attitude about security 
|flaws.  We have zero security products from MS or Oracle, 
|unless you consider WSUS and SMS security products.  (I don't.)
|Paul Schmehl (pauls at utdallas.edu)
|Adjunct Information Security Officer
|The University of Texas at Dallas
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060602/49f70c58/attachment.pl>
-------------- next part --------------
The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list