[WEB SECURITY] Re: Jeremiah Grossman writes about buffer overflow myths

Andrew van der Stock vanderaj at greebo.net
Wed Mar 15 10:47:06 EST 2006

I have back in January, but it has been a long time between drinks. I  
found no buffer overflows in the reviews I conducted in 2005, and  
only IIRC one in 2004. I did maybe 20-30 app reviews a year prior to  
2005, and in 2005 I started doing massive reviews of major systems,  
looking at very large code bases.

What surprised me was how incredibly resistant the developer from my  
January review was about fixing them, even though they are completely  
preventable. Only when we showed how trivial it was to exploit them  
did they fix only the demo overflows we crafted. This is yet another  
reason why I think languages like C++ and C have had their day,  
particularly in relation to enterprise class apps.

Compared to say validation, authorization and injection issues,  
buffer overflows are completely over-hyped. When I finish Guide 2.1,  
my next target is to revitalize the Top 10, and buffer overflows are  


On 16/03/2006, at 1:23 AM, Ory Segal wrote:

> Hi,
> Another interesting thing to note, which I totally agree with is:
> Quote: "While technically possible, the truth is that they are just  
> not seen in the real world. Our experience at WhiteHat Security,  
> having assessed hundreds of Web sites and identified thousands of  
> vulnerabilities, shows that statistically, buffer overflows appear  
> near the bottom of the list of total discovered issues."
> I've been around for quite a while, and I can't remember the last  
> time I have seen a Buffer Overflow in a custom-built web  
> application. Anyone else?
> -Ory
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2234 bytes
Desc: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060316/09e9e4c5/attachment.p7s>

More information about the websecurity mailing list