[WEB SECURITY] Application Security Hacking Videos

Joel R. Helgeson joel at helgeson.com
Fri Jun 2 12:56:02 EDT 2006

An observation for you Paul:
What you are saying could just as easily be interpreted as:
"I use obscure software because people haven't discovered bugs in it yet."

Just like MAC users stated that they were bug-free... Well, no.. you Mac 
users weren't a big enough target to warrant interest of the bug hunters, 
times have changed.


----- Original Message ----- 
From: "Paul Schmehl" <pauls at utdallas.edu>
To: "Mike Fratto" <mfratto at gmail.com>
Cc: <websecurity at webappsec.org>
Sent: Friday, June 02, 2006 10:50 AM
Subject: Re: [WEB SECURITY] Application Security Hacking Videos

> Mike Fratto wrote:
>> I am going to go out on a limb here and assume you wouldn't buy any
>> commercial products or deploy any open source then?
> Really?  Can you find a remotely exploitable security flaw in Postfix? 
> (You can search Securityfocus or google for it.)
> How about Tippingpoint?  ISS?  Those are all products we use.  Snort has 
> had two that I know about (the bo preprocessor overflow and the RPC 
> preprocessor overflow), but both were easily mitigated, unlike commercial 
> products.
>> I can't think of a single security product that hasn't had some
>> security issue. Can you name some?
> There's a few.  But there are some that stand out from the crowd and 
> others that seem to have problem after problem after problem.  To me, 
> that's an indicator of code quality (or lack of same) and quality control.
>> Ivan is right on the money. It's what a company does when notified
>> about potential vulnerabilities that is important. Oracle is an
>> example of a company with a horrid history of not fixing problems in a
>> timely manner nor do they always fix problems prefering to fix
>> symptoms. Litchfield and others have documented such. Microsoft, on
>> the other hand, is much improved (and could use more) in their
>> response to vulnerabilities since the days of telling the guys at the
>> L0pth that a vulnerabiity was "theoretical." Both Oracle and MS have
>> strong security in their messaging and have security products and I
>> bet your organization has one or both running.
> We have very few internet-addressable Windows servers (none in the 
> security department).  We do have Oracle, but we wouldn't if I had 
> anything to say about it.  It's a horrible product made by a company with 
> a horrible attitude about security flaws.  We have zero security products 
> from MS or Oracle, unless you consider WSUS and SMS security products.  (I 
> don't.)
> -- 
> Paul Schmehl (pauls at utdallas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> http://www.utdallas.edu/ir/security/

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list