[WEB SECURITY] Application Security Hacking Videos

Paul Schmehl pauls at utdallas.edu
Fri Jun 2 14:57:59 EDT 2006


Joseph Peloquin wrote:
> Paul, let me say first that I've been reading your posts and articles
> for years, live in the "Metroplex" myself, and have a lot of respect for
> you.
> 
Thank you.

> With regard to the topic at hand, however, I disagree with you and agree
> with the gentleman that is happy to work with a company that
> acknowledges its vulnerabilities and publishes fixes in a timely manner.
>
I agree with this, with a caveat.  Given a choice between two responsive 
vendors, one of whom has released remotely exploitable software and 
another who has not, I will choose the latter every time.

> We all know the tendancy for security to take a back-seat to business.
> In a perfect world, we'd see security built-in to the SDL for any type
> of application, security product or not.  The fact of the matter is
> shareholders, time-to-market, and many other factors lead businesses to
> cut corners.  I can tolerate this, even in my security products, so long
> as the vendor is responsive and remediates vulnerabilities in a timely
> manner.
> 
Sadly, all too true.  And I don't see it changing any time soon.  I 
think legislation and lawsuits will force the issue for many, unfortunately.

> That said, I use ISS and TippingPoint products, and they are not "bullet
> proof";
> 
> ISS
> I'm not going through the entire database, but Secunia has a few on ISS;
> http://secunia.com/product/2348/#advisories
> 
> 3Com/TippingPoint
> Albeit it's in the SMS, not the IPS itself, and severity-level aside, TP
> has one lately;
> http://www.3com.com/securityalert/alerts/3COM-06-002.html
> 
> Having just completed evaluating TP in January, I also know about the
> tiny-fragment evasion issue from last fall, which was also fixed very
> quickly.
>
I did use the term "remotely exploitable" as a qualifier.  Failing to 
anticipate every evasion technique is a problem of lesser magnitude than 
a remotely exploitable vulnerability in the code.  The same is true of 
DoSes.  I don't consider them to be as major a faliure as a remotely 
exploitable hole.  The former inconveniences me.  The latter puts my 
entire network at risk.

If I look at web application firewalls, and one vendor has had some 
evasion problems and another has shipped remotely exploitable product, 
the latter will be struck from consideration.

But I've strolled far off topic from this list's purpose now, so I'll go 
back to lurking.

-- 
Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5007 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060602/f9eeec70/attachment.p7s>


More information about the websecurity mailing list