[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Application Security Hacking Videos

From: Paul Schmehl <pauls@xxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Application Security Hacking Videos
Date: Thu, 01 Jun 2006 16:56:35 -0500
--------------ms000201080407070107060009
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Ivan Ristic wrote:
> On 6/1/06, Paul Schmehl <pauls@utdallas.edu> wrote:
>>
>> BTW, there are security companies that I will not even consider
>> purchasing prodcuts from simply because they have had remote exploit
>> vulnerabilities in their code.  I can assure you I'm not alone.  As more
>> of us practitioners begin to cull the poorly programmed applications
>> from our purchase mix, we will weed out the bad programmers ourselves.
> 
> I think it's more important to observe how companies deal with such
> issues. Security problems are a fact of life mostly due to the fact
> that there isn't a way to write code that is 100% guaranteed not to
> have any faults.
> 
I understand what you're saying, but as a consumer of the products, I 
think differently.  I think, if a security company is programming buffer 
overflows into their own code, then they probably don't understand 
buffer overflows very well.  How can I trust them, then, to protect me 
against buffer overflows in my applications?  Or even detect them?

Sometimes the choices are very simple.  For example, I don't use 
sendmail anywhere.  It's had a multitude of problems, indicating to me 
that the people who code it don't really understand what they're doing 
*or* the code is too complex for *anyone* to fully understand it.  I use 
postfix.  Can you recall a security problem with postfix?

So, when I install a new OS, sendmail comes off, postfix goes on.  Now I 
have one less thing to worry about.

Same reason I don't use Windows Servers in public IP space.  Not 
trustworthy (I use that word deliberately.)

I know programmers aren't perfect.  Nobody is.  But, if you're a 
security vendor, you'd better have enough quality control processes in 
place to catch the problems before you ship them out the door.  Because, 
if they get out the door and become known, I ain't buyin' your products 
any more.  I can't trust you.  I don't really care *why* I can't trust 
you.  It may be you don't care.  It may be your processes aren't 
thorough enough.  It may be your people aren't talented enough.  It may 
be you just don't understand the problem well enough.  But I don't care. 
  All I know is, I can't trust you.
>
>> Yes, we need much better training.  Yes, we need much better awareness
>> of the complexities of attack vectors.  But until programmers and
>> leadership in software companies take the bull by the horns and start
>> addressing the problem, we will continue to see point solutions that
>> hide the ugly warts.
> 
> For one reason or another I don't think we can ever expect the average
> programmer to understand all the security issues. That's why, IMHO, it
> is essential to move to (and design) programming languages and
> platforms that are not vulnerable to buffer overflows and, in general,
> make it very difficult or impossible to write insecure code.
> 
> The people in charge of major programming platforms need to take
> responsibility and make the (programming) world a more secure space. I
> am not saying that would solve all our problems, but I think it would
> solve most of the ones we are dealing with on daily basis.
> 
You can't solve people problems with technology.  You just can't.  If 
you could, we could throw enough boxes up on the network that we'd never 
have to worry about a breakin.  But, when a user uses "password" as the 
password for the root account, technology isn't going to save you. 
Policy and processes is.

The same is true for a development firm.  When programmers keep coding 
buffer overflows, technology isn't going to save you.  (Remember when 
Microsoft announced they had "eliminated buffer overflows in Windows XP" 
at their New York launch?  They bought a $10,000,000 tool that was 
supposed to go through the code and find them all.  Less than a month 
later eEye found the UPnP overflow - the most devastating single hole 
ever found in a Windows product.)

There has not yet been invented the mousetrap that will catch all mice. 
  There never will be.  The slickest, most "airtight" programming 
language will have unforeseen weaknesses that *somebody* smart will 
figure out.

It has ever been thus.

You fix the people, or you'll never fix the problem.

-- 
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

--------------ms000201080407070107060009
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIOyjCC
A9gwggNBoAMCAQICEEHsHz2nFAeWxPbVDN3RD2UwDQYJKoZIhvcNAQEFBQAwgcExCzAJBgNV
BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMiBQdWJs
aWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEoYykg
MTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4XDTk5MDMzMTAwMDAwMFoXDTA5MDMzMDIzNTk1
OVowgeoxJzAlBgNVBAoTHlRoZSBVbml2ZXJzaXR5IG9mIFRleGFzIFN5c3RlbTEfMB0GA1UE
CxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0
dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMpOTkxMjAwBgNVBAsTKUNsYXNzIDIgQ0Eg
LSBPblNpdGUgSW5kaXZpZHVhbCBTdWJzY3JpYmVyMS0wKwYDVQQDEyRUaGUgVW5pdmVyc2l0
eSBvZiBUZXhhcyBhdCBEYWxsYXMgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL/q
74frHgrBAPkiEcHRwczbetq+NtJwYDBg5RngUy819MmoKQXW3j2d8waaZH2+0YdUeJv/onjx
+4erw/yHTMJJQQ3hwNKl1/x+/0JRTnTzAdVoc6VdBDH45iklY6gjmkRqgYsPsDnx79tGWMO6
uM9L83rBokmVgyNDupsajzKFAgMBAAGjgaUwgaIwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMT
EVByaXZhdGVMYWJlbDEtMTQwMBEGCWCGSAGG+EIBAQQEAwIBBjBEBgNVHSAEPTA7MDkGC2CG
SAGG+EUBBwEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9SUEEw
DwYDVR0TBAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEFBQADgYEAUwm13LK2
idEgUIPJOHncyAiySb+4U4Nvisyy5Hp8/KPoD19hXl+XBJUSWtKVASLxvO3xVLZUplQYoZ1U
vAZpBMcCITeigjmIp6ygn+iDGV2SSDkaWYIkIEO8hpUS3IN04ebjE75qpIcAMTEjByWbr7os
UZEOWaajF4jStM5UFxwwggVzMIIE3KADAgECAhAhQ2wPNrJWs2gXrRmRcAj6MA0GCSqGSIb3
DQEBBAUAMIHqMScwJQYDVQQKEx5UaGUgVW5pdmVyc2l0eSBvZiBUZXhhcyBTeXN0ZW0xHzAd
BgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOzA5BgNVBAsTMlRlcm1zIG9mIHVzZSBh
dCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhIChjKTk5MTIwMAYDVQQLEylDbGFzcyAy
IENBIC0gT25TaXRlIEluZGl2aWR1YWwgU3Vic2NyaWJlcjEtMCsGA1UEAxMkVGhlIFVuaXZl
cnNpdHkgb2YgVGV4YXMgYXQgRGFsbGFzIENBMB4XDTA1MDgxMDAwMDAwMFoXDTA2MDgxMDIz
NTk1OVowgfQxJzAlBgNVBAoUHlRoZSBVbml2ZXJzaXR5IG9mIFRleGFzIFN5c3RlbTEtMCsG
A1UECxQkVGhlIFVuaXZlcnNpdHkgb2YgVGV4YXMgYXQgRGFsbGFzIENBMUYwRAYDVQQLEz13
d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTIEluY29ycC4gYnkgUmVmLixMSUFCLkxU
RChjKTk5MRgwFgYDVQQLFA9NYWlsIFN0b3AgLSBVVEQxFTATBgNVBAMTDFBhdWwgU2NobWVo
bDEhMB8GCSqGSIb3DQEJARYScGF1bHNAdXRkYWxsYXMuZWR1MIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDEoeaWOSJTLA4v6OJEuCfJukxz2ljvM2G7CovCFsCYK7FnYSzTjFAk8Vhe
+STjF4ehWIMnyGzWHYP6Vude2sWSxsXvUANOsjNKeWZ5rSjFS52u+1JU2IiIiwISnlAmOKC9
eqXGq7iIPz35w3VbpxPeGe6GWK4ZfexTKSQtfPYfSQIDAQABo4ICDDCCAggwCQYDVR0TBAIw
ADAdBgNVHREEFjAUgRJwYXVsc0B1dGRhbGxhcy5lZHUwggEkBgNVHSAEggEbMIIBFzCCARMG
C2CGSAGG+EUBBwEGMIIBAjArBggrBgEFBQcCARYfaHR0cHM6Ly93d3cudmVyaXNpZ24uY29t
L3JwYS1rcjCB0gYIKwYBBQUHAgIwgcUagcJOT1RJQ0U6IFByaXZhdGUga2V5IG1heSBiZSBy
ZWNvdmVyZWQgYnkgVmVyaVNpZ24ncyBjdXN0b21lciB3aG8gbWF5IGJlIGFibGUgdG8gZGVj
cnlwdCBtZXNzYWdlcyB5b3Ugc2VuZCB0byBjZXJ0aWZpY2F0ZSBob2xkZXIuICBVc2UgaXMg
c3ViamVjdCB0byB0ZXJtcyBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhLWtyIChj
KTk5LjARBglghkgBhvhCAQEEBAMCB4AwdQYDVR0fBG4wbDBqoGigZoZkaHR0cDovL29uc2l0
ZWNybC52ZXJpc2lnbi5jb20vVGhlVW5pdmVyc2l0eW9mVGV4YXNTeXN0ZW1UaGVVbml2ZXJz
aXR5b2ZUZXhhc2F0RGFsbGFzQ0EvTGF0ZXN0Q1JMLmNybDALBgNVHQ8EBAMCB4AwHQYDVR0l
BBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBAUAA4GBAEHYOgkUsyvG/DYG
FAKSJ+IqUY4NVstEHCKHim3Cckq0Chxf+yRQB4tvOrwPTFAHlMgqJKr4yVXEvwJmhAvJtO/V
nYex/brnBVky3UI288HXzk7439zbvmmczLZmOhsR3A3TnKHX9vdTmJ7sxWExDszRQntTfoUY
cQihaFVOqZ9sMIIFczCCBNygAwIBAgIQPzPhdzYQCWxtZCkhSwOckTANBgkqhkiG9w0BAQQF
ADCB6jEnMCUGA1UEChMeVGhlIFVuaXZlcnNpdHkgb2YgVGV4YXMgU3lzdGVtMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0
cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYyk5OTEyMDAGA1UECxMpQ2xhc3MgMiBDQSAt
IE9uU2l0ZSBJbmRpdmlkdWFsIFN1YnNjcmliZXIxLTArBgNVBAMTJFRoZSBVbml2ZXJzaXR5
IG9mIFRleGFzIGF0IERhbGxhcyBDQTAeFw0wNTA4MTAwMDAwMDBaFw0wNjA4MTAyMzU5NTla
MIH0MScwJQYDVQQKFB5UaGUgVW5pdmVyc2l0eSBvZiBUZXhhcyBTeXN0ZW0xLTArBgNVBAsU
JFRoZSBVbml2ZXJzaXR5IG9mIFRleGFzIGF0IERhbGxhcyBDQTFGMEQGA1UECxM9d3d3LnZl
cmlzaWduLmNvbS9yZXBvc2l0b3J5L0NQUyBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5
OTEYMBYGA1UECxQPTWFpbCBTdG9wIC0gVVREMRUwEwYDVQQDEwxQYXVsIFNjaG1laGwxITAf
BgkqhkiG9w0BCQEWEnBhdWxzQHV0ZGFsbGFzLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEA3kw5bRGnSgWiYrAFsDKH4M+0r3YOazqaJ+NCzHzSYci2dgE2thVNAGe9i4xLBL8I
ZX7i5HkR6mTit9/ovF/SUCft+2UapqYEu1sLPKuqEHfA2p8c5mjkJHnUYz2KR+4Z1UtvmTmN
NwdaWfWfCzL/stJfR/qpNNqZLaDpBiytj4ECAwEAAaOCAgwwggIIMAkGA1UdEwQCMAAwHQYD
VR0RBBYwFIEScGF1bHNAdXRkYWxsYXMuZWR1MIIBJAYDVR0gBIIBGzCCARcwggETBgtghkgB
hvhFAQcBBjCCAQIwKwYIKwYBBQUHAgEWH2h0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEt
a3IwgdIGCCsGAQUFBwICMIHFGoHCTk9USUNFOiBQcml2YXRlIGtleSBtYXkgYmUgcmVjb3Zl
cmVkIGJ5IFZlcmlTaWduJ3MgY3VzdG9tZXIgd2hvIG1heSBiZSBhYmxlIHRvIGRlY3J5cHQg
bWVzc2FnZXMgeW91IHNlbmQgdG8gY2VydGlmaWNhdGUgaG9sZGVyLiAgVXNlIGlzIHN1Ympl
Y3QgdG8gdGVybXMgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYS1rciAoYyk5OS4w
EQYJYIZIAYb4QgEBBAQDAgeAMHUGA1UdHwRuMGwwaqBooGaGZGh0dHA6Ly9vbnNpdGVjcmwu
dmVyaXNpZ24uY29tL1RoZVVuaXZlcnNpdHlvZlRleGFzU3lzdGVtVGhlVW5pdmVyc2l0eW9m
VGV4YXNhdERhbGxhc0NBL0xhdGVzdENSTC5jcmwwCwYDVR0PBAQDAgUgMB0GA1UdJQQWMBQG
CCsGAQUFBwMEBggrBgEFBQcDAjANBgkqhkiG9w0BAQQFAAOBgQArtwI07378ACzBYQlXjg4u
4Ex2FlHoY3C5cWuTkXyzqJyU2ttpgxzzMTjYgqNeHdA3I360rCDSp/LCuNKhLQ9PdU/9LcU3
duD6KJU3cG4UrmfUXecXFdWj2wnp0Pkiq6YoSPQQ946dpq1BvWxE2W8J9f09tuR3Jjfgf1ST
+qMgwTGCBIcwggSDAgEBMIH/MIHqMScwJQYDVQQKEx5UaGUgVW5pdmVyc2l0eSBvZiBUZXhh
cyBTeXN0ZW0xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOzA5BgNVBAsTMlRl
cm1zIG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhIChjKTk5MTIwMAYD
VQQLEylDbGFzcyAyIENBIC0gT25TaXRlIEluZGl2aWR1YWwgU3Vic2NyaWJlcjEtMCsGA1UE
AxMkVGhlIFVuaXZlcnNpdHkgb2YgVGV4YXMgYXQgRGFsbGFzIENBAhAhQ2wPNrJWs2gXrRmR
cAj6MAkGBSsOAwIaBQCgggLdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcN
AQkFMQ8XDTA2MDYwMTIxNTYzNVowIwYJKoZIhvcNAQkEMRYEFI1+X6QBKQzU+XoUG3vppH55
AbnZMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqG
SIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIIBEQYJKwYBBAGCNxAEMYIBAjCB
/zCB6jEnMCUGA1UEChMeVGhlIFVuaXZlcnNpdHkgb2YgVGV4YXMgU3lzdGVtMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0
cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYyk5OTEyMDAGA1UECxMpQ2xhc3MgMiBDQSAt
IE9uU2l0ZSBJbmRpdmlkdWFsIFN1YnNjcmliZXIxLTArBgNVBAMTJFRoZSBVbml2ZXJzaXR5
IG9mIFRleGFzIGF0IERhbGxhcyBDQQIQPzPhdzYQCWxtZCkhSwOckTCCARMGCyqGSIb3DQEJ
EAILMYIBAqCB/zCB6jEnMCUGA1UEChMeVGhlIFVuaXZlcnNpdHkgb2YgVGV4YXMgU3lzdGVt
MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1
c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYyk5OTEyMDAGA1UECxMpQ2xh
c3MgMiBDQSAtIE9uU2l0ZSBJbmRpdmlkdWFsIFN1YnNjcmliZXIxLTArBgNVBAMTJFRoZSBV
bml2ZXJzaXR5IG9mIFRleGFzIGF0IERhbGxhcyBDQQIQPzPhdzYQCWxtZCkhSwOckTANBgkq
hkiG9w0BAQEFAASBgHzMhm8Lfv4cS64rpN+WMWZqvBIQ+/tQlNPu1PvGrC484fL9gulFkdvP
0ef/DhOyR8u3eWbgQhVWmH1D8HqGwBDMfc20TfCqKsXfZeM/7JJQMBto814uVh7tSDvrEdZM
zG6qaUcYfHAlGYZPbAYTwnS3OCUOPlp0RMcNAZeOI8J5AAAAAAAA
--------------ms000201080407070107060009--
Follow-Ups:
- Re: [WEB SECURITY] Application Security Hacking Videos
  - From: Brian Eaton
References:
- RE: [WEB SECURITY] Application Security Hacking Videos
  - From: Erez Metula
- Re: [WEB SECURITY] Application Security Hacking Videos
  - From: Paul Schmehl
- Re: [WEB SECURITY] Application Security Hacking Videos
  - From: Ivan Ristic
Prev by Date: Re: [WEB SECURITY] WebScurity ->was-> Application Security Hacking Videos
Next by Date: [WEB SECURITY] Lots of WebAppSec at Black Hat
Previous by thread: Re: [WEB SECURITY] Application Security Hacking Videos
Next by thread: Re: [WEB SECURITY] Application Security Hacking Videos
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org