[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] Application Security Hacking Videos

From: "Joseph Peloquin" <jpelo1@xxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] Application Security Hacking Videos
Date: Fri, 2 Jun 2006 11:40:35 -0500

------------=_1149266437-8217-85
Content-class: urn:content-classes:message
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

Paul, let me say first that I've been reading your posts and articles
for years, live in the "Metroplex" myself, and have a lot of respect for
you.

With regard to the topic at hand, however, I disagree with you and agree
with the gentleman that is happy to work with a company that
acknowledges its vulnerabilities and publishes fixes in a timely manner.

We all know the tendancy for security to take a back-seat to business.
In a perfect world, we'd see security built-in to the SDL for any type
of application, security product or not.  The fact of the matter is
shareholders, time-to-market, and many other factors lead businesses to
cut corners.  I can tolerate this, even in my security products, so long
as the vendor is responsive and remediates vulnerabilities in a timely
manner.

That said, I use ISS and TippingPoint products, and they are not "bullet
proof";

ISS
I'm not going through the entire database, but Secunia has a few on ISS;
http://secunia.com/product/2348/#advisories

3Com/TippingPoint
Albeit it's in the SMS, not the IPS itself, and severity-level aside, TP
has one lately;
http://www.3com.com/securityalert/alerts/3COM-06-002.html

Having just completed evaluating TP in January, I also know about the
tiny-fragment evasion issue from last fall, which was also fixed very
quickly.

Cheers,
Joey Peloquin 

|-----Original Message-----
|From: Paul Schmehl [mailto:pauls@utdallas.edu] 
|Sent: Friday, June 02, 2006 10:51 AM
|To: Mike Fratto
|Cc: websecurity@webappsec.org
|Subject: Re: [WEB SECURITY] Application Security Hacking Videos
|
|Mike Fratto wrote:
|> 
|> I am going to go out on a limb here and assume you wouldn't buy any 
|> commercial products or deploy any open source then?
|> 
|Really?  Can you find a remotely exploitable security flaw in Postfix? 
|(You can search Securityfocus or google for it.)
|
|How about Tippingpoint?  ISS?  Those are all products we use.  
|Snort has had two that I know about (the bo preprocessor 
|overflow and the RPC preprocessor overflow), but both were 
|easily mitigated, unlike commercial products.
|
|> I can't think of a single security product that hasn't had some 
|> security issue. Can you name some?
|> 
|There's a few.  But there are some that stand out from the 
|crowd and others that seem to have problem after problem after 
|problem.  To me, that's an indicator of code quality (or lack 
|of same) and quality control.
|
|> Ivan is right on the money. It's what a company does when notified 
|> about potential vulnerabilities that is important. Oracle is an 
|> example of a company with a horrid history of not fixing 
|problems in a 
|> timely manner nor do they always fix problems prefering to fix 
|> symptoms. Litchfield and others have documented such. Microsoft, on 
|> the other hand, is much improved (and could use more) in their 
|> response to vulnerabilities since the days of telling the 
|guys at the 
|> L0pth that a vulnerabiity was "theoretical." Both Oracle and MS have 
|> strong security in their messaging and have security products and I 
|> bet your organization has one or both running.
|> 
|We have very few internet-addressable Windows servers (none in 
|the security department).  We do have Oracle, but we wouldn't 
|if I had anything to say about it.  It's a horrible product 
|made by a company with a horrible attitude about security 
|flaws.  We have zero security products from MS or Oracle, 
|unless you consider WSUS and SMS security products.  (I don't.)
|
|--
|Paul Schmehl (pauls@utdallas.edu)
|Adjunct Information Security Officer
|The University of Texas at Dallas
|http://www.utdallas.edu/ir/security/
|

------------=_1149266437-8217-85
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Description: Signature

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  If the reader of this message is not the intended recipient,
you are hereby notified that your access is unauthorized, and any review,
dissemination, distribution or copying of this message including any
attachments is strictly prohibited.   If you are not the intended
recipient, please contact the sender and delete the material from any
computer.


------------=_1149266437-8217-85
Content-Type: text/plain; charset=us-ascii

----------------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/
------------=_1149266437-8217-85--

Follow-Ups:
- Re: [WEB SECURITY] Application Security Hacking Videos
  - From: Paul Schmehl

References:
- Re: [WEB SECURITY] Application Security Hacking Videos
  - From: Paul Schmehl

Prev by Date: Re: [WEB SECURITY] Application Security Hacking Videos
Next by Date: Re: [WEB SECURITY] Application Security Hacking Videos
Previous by thread: Re: [WEB SECURITY] Application Security Hacking Videos
Next by thread: Re: [WEB SECURITY] Application Security Hacking Videos
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site