Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Gold Builds

From: Dave Aitel <dave () immunitysec com>
Date: Sat, 29 Nov 2003 15:31:08 -0500

This dilbert is security-industry aware!
http://www.comics.com/comics/dilbert/archive/images/dilbert2003111108929.gif
Everyone should go check out this paper on Windows RPC internals from Jean-Baptiste, who continues to do excellent work: 
http://www.hsc.fr/ressources/articles/win_net_srv/
Here's a presentation as well
http://www.hsc.fr/ressources/presentations/hivercon03/

___
There are a lot of consulting companies on this list. I'm wondering if you guys have the same opinions on this sort of thing:
One of the things that Immunity often does is a "host assessment." Usually this means that a large company has put together their mail server or has a "Gold Build" that they are going to base their mail server on, and they want to give it one last check before it goes live. Usually, as in the case yesterday, I use tcpview or lsof, go down the list of open ports, and anywhere there is a third party application or custom-built application, find one remote hole. My favorate thing to do lately is to use Ollydbg and starting at recv(), reverse engineer the proprietary protocols until I find something fun. Sometimes you find two something funs. But you usually find SOMETHING on anything that's not part of the base OS. Backup programs, management utilities, third party ActiveX plugins to web servers, XML conversion programs, etc. All that stuff is buggy as hell.
Now, with bobsbagoffish.com, that's fine. What's a small or medium sized company going to do except use off-the-shelf parts? They just want to know how bad off they are. But with a larger client, the end goal should be, I think, to get the client to change their process to force their vendors to have third-party reviews of their components before they get included in Gold Builds. Otherwise you may have built your entire system on a vendor's products, before realizing they are completely impossible to secure. I think it's a compelling thing to say "Listen, we'd love to include your product in our Base Build, perhaps get a site license? But before we do, we need to see a stamp of approval from one of these four companies." Likewise, when deploying a giant web application, it often makes sense to QA the third-party components of it before you QA your entire finished product. In this case I also think a "stamp of approval" is a good thing, since you can have your vendors get one while you're in your planning process, which gives them time to fix their bugs by the time you go live.
I guess, I'm still of the belief that what security consulting companies do is QA, but I think if you HAVE the pull to make your vendors do their own QA, rather than doing it for them, it's nice to push that cost (and the "risk", as an economist would say) back onto them. 

Dave Aitel
Immunity, Inc.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: