[WEB SECURITY] Application Security Hacking Videos
Joel R. Helgeson
joel at helgeson.com
Fri Jun 2 12:56:02 EDT 2006
An observation for you Paul:
What you are saying could just as easily be interpreted as:
"I use obscure software because people haven't discovered bugs in it yet."
Just like MAC users stated that they were bug-free... Well, no.. you Mac
users weren't a big enough target to warrant interest of the bug hunters,
times have changed.
----- Original Message -----
From: "Paul Schmehl" <pauls at utdallas.edu>
To: "Mike Fratto" <mfratto at gmail.com>
Cc: <websecurity at webappsec.org>
Sent: Friday, June 02, 2006 10:50 AM
Subject: Re: [WEB SECURITY] Application Security Hacking Videos
> Mike Fratto wrote:
>> I am going to go out on a limb here and assume you wouldn't buy any
>> commercial products or deploy any open source then?
> Really? Can you find a remotely exploitable security flaw in Postfix?
> (You can search Securityfocus or google for it.)
> How about Tippingpoint? ISS? Those are all products we use. Snort has
> had two that I know about (the bo preprocessor overflow and the RPC
> preprocessor overflow), but both were easily mitigated, unlike commercial
>> I can't think of a single security product that hasn't had some
>> security issue. Can you name some?
> There's a few. But there are some that stand out from the crowd and
> others that seem to have problem after problem after problem. To me,
> that's an indicator of code quality (or lack of same) and quality control.
>> Ivan is right on the money. It's what a company does when notified
>> about potential vulnerabilities that is important. Oracle is an
>> example of a company with a horrid history of not fixing problems in a
>> timely manner nor do they always fix problems prefering to fix
>> symptoms. Litchfield and others have documented such. Microsoft, on
>> the other hand, is much improved (and could use more) in their
>> response to vulnerabilities since the days of telling the guys at the
>> L0pth that a vulnerabiity was "theoretical." Both Oracle and MS have
>> strong security in their messaging and have security products and I
>> bet your organization has one or both running.
> We have very few internet-addressable Windows servers (none in the
> security department). We do have Oracle, but we wouldn't if I had
> anything to say about it. It's a horrible product made by a company with
> a horrible attitude about security flaws. We have zero security products
> from MS or Oracle, unless you consider WSUS and SMS security products. (I
> Paul Schmehl (pauls at utdallas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
The Web Security Mailing List
The Web Security Mailing List Archives
More information about the websecurity