[WEB SECURITY] Re: Jeremiah Grossman writes about buffer overflow myths
Andrew van der Stock
vanderaj at greebo.net
Wed Mar 15 10:47:06 EST 2006
I have back in January, but it has been a long time between drinks. I
found no buffer overflows in the reviews I conducted in 2005, and
only IIRC one in 2004. I did maybe 20-30 app reviews a year prior to
2005, and in 2005 I started doing massive reviews of major systems,
looking at very large code bases.
What surprised me was how incredibly resistant the developer from my
January review was about fixing them, even though they are completely
preventable. Only when we showed how trivial it was to exploit them
did they fix only the demo overflows we crafted. This is yet another
reason why I think languages like C++ and C have had their day,
particularly in relation to enterprise class apps.
Compared to say validation, authorization and injection issues,
buffer overflows are completely over-hyped. When I finish Guide 2.1,
my next target is to revitalize the Top 10, and buffer overflows are
On 16/03/2006, at 1:23 AM, Ory Segal wrote:
> Another interesting thing to note, which I totally agree with is:
> Quote: "While technically possible, the truth is that they are just
> not seen in the real world. Our experience at WhiteHat Security,
> having assessed hundreds of Web sites and identified thousands of
> vulnerabilities, shows that statistically, buffer overflows appear
> near the bottom of the list of total discovered issues."
> I've been around for quite a while, and I can't remember the last
> time I have seen a Buffer Overflow in a custom-built web
> application. Anyone else?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2234 bytes
Desc: not available
More information about the websecurity