[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Disclosure for Web Applications

From: "Dennis Groves" <dennis.groves@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Disclosure for Web Applications
Date: Thu, 11 Jan 2007 14:06:29 -0700

On 1/11/07, txs <txs@xxxxxxxxxxxxxx> wrote:

I would certainly agree that notification of both the ftp company and the
users of the ftp program is responsible and education is paramount, however
the issue comes in the form of: I can't legally test the ftpd on the remote
site without permission. That would be considered illegal (in most
countries). If I could install the ftpd locally and find the vuln.. rock on.


Well and in all seriousness (I guess my last post was tongue in cheek
serious)...

This gets to the heart of the issue with web apps and what makes it so
difficult and serious...

Web Apps are not at all like FTP servers that can be downloaded. Web
Apps are almost always a mix of COTS stuff like apache, and more
importantly layers of custom code.
The custom code is often the code that contains the most egregious
security issues, since the budget and education are not available to
engineer secure solutions in order to mitigate the risk significantly
enough to make the target uninteresting. You can not possibly test
custom web application code in the USA with out putting yourself at
great risk of making yourself an enemy combatant, and getting thrown
in jail for like a life of torture now that habias corpus is gone. And
that to me is a bit like legislating your head up your ass...

my 2 cents.

Otherwise nobody can legally discover problems in the target environment
(read any web site) and we get into a very sticky catch-22. I can't legally
find the vulnerabilities, and I can't legally disclose them. So vulnerable
websites are destined to (legally anyhow) stay that way. I don't know about
you, but that says to me that the state of security will steadily decline
the more lines of code that are created.

PS: I second your notion of killing all of the lawyers. Especially the ones
that put security researchers in jail! :)

Cheers

--txs

--
Dennis Groves
<a href="http://homepage.mac.com/dennisgr/FileSharing13.html";>vcard</a>

Be who you are and say what you feel,
because those who mind don't matter
and those who matter don't mind.
Theodor Geisel

---------------------------------------------------------------------------- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- Re: [WEB SECURITY] Disclosure for Web Applications
  - From: Dennis Groves
- RE: [WEB SECURITY] Disclosure for Web Applications
  - From: txs

Prev by Date: RE: [WEB SECURITY] Disclosure for Web Applications
Next by Date: Re: [WEB SECURITY] A Different CSOonline Article calling out the BS in the security industry
Previous by thread: RE: [WEB SECURITY] Disclosure for Web Applications
Next by thread: RE: [WEB SECURITY] Disclosure for Web Applications
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site