Mike Fratto wrote:
I am going to go out on a limb here and assume you wouldn't buy any
commercial products or deploy any open source then?
Really? Can you find a remotely exploitable security flaw in Postfix?
(You can search Securityfocus or google for it.)
How about Tippingpoint? ISS? Those are all products we use. Snort has
had two that I know about (the bo preprocessor overflow and the RPC
preprocessor overflow), but both were easily mitigated, unlike commercial
products.
I can't think of a single security product that hasn't had some
security issue. Can you name some?
There's a few. But there are some that stand out from the crowd and
others that seem to have problem after problem after problem. To me,
that's an indicator of code quality (or lack of same) and quality control.
Ivan is right on the money. It's what a company does when notified
about potential vulnerabilities that is important. Oracle is an
example of a company with a horrid history of not fixing problems in a
timely manner nor do they always fix problems prefering to fix
symptoms. Litchfield and others have documented such. Microsoft, on
the other hand, is much improved (and could use more) in their
response to vulnerabilities since the days of telling the guys at the
L0pth that a vulnerabiity was "theoretical." Both Oracle and MS have
strong security in their messaging and have security products and I
bet your organization has one or both running.
We have very few internet-addressable Windows servers (none in the
security department). We do have Oracle, but we wouldn't if I had
anything to say about it. It's a horrible product made by a company with
a horrible attitude about security flaws. We have zero security products
from MS or Oracle, unless you consider WSUS and SMS security products. (I
don't.)
--
Paul Schmehl (pauls@xxxxxxxxxxxx)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/