Full Disclosure mailing list archives
Re: How secure is software X?
From: Roman Medina-Heigl Hernandez <roman () rs-labs com>
Date: Sat, 13 May 2006 15:35:22 +0200
Lucien Fransman wrote:
I often wondered about this. An assessment is only as good as the assesser. What is the use of a "i can break and exploit $foo application, and have shown this in my tests", if it is done by a private exploit? Again, i'm
[...]
It only shows that the application has a bug, that is known to you or your company. Will it benefit the company that is being tested? I am not so sure about this. What would a company do with this kind of information? Fix the bug? They can't because they dont have access to the source. Will it entice the vendor to fix the vulnerability? No, as they dont know it exists.
It shows that the company's security could/should be improved. Security must follow a layered approach. Perhaps you cannot fix the real problem (i.e. the bug) but you can avoid it to be exploited/abused. For instance, the pentester *probably* couldn't have exploited that 0-day overflow in that Linux critical server if it had Grsec running on. Or the pentester couldn't have exploited that 0-day SQL injection bug if Apache had been configured with some kind of application firewall (ModSecurity, etc). Or this hacked-by-0day server couldn't have been even accessed if the network were propperly segmented/firewalled. Or my IDS noticed the 0day exploitation (not very sure of this }:-)). Or I couldn't avoid the compromise but I had it logged to my syslog bullet-proof server. Or... <etc, etc> If I were a company, I'd like to know that I survived to 0day exploit attempts or at least I detected them. It's an important added value for me. -- Saludos, -Roman PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- How secure is software X? David Litchfield (May 11)
- Re: How secure is software X? Michael Silk (May 11)
- Re: How secure is software X? David Litchfield (May 11)
- Re: How secure is software X? Blue Boar (May 11)
- Re: How secure is software X? Brian Eaton (May 12)
- Re: How secure is software X? Blue Boar (May 12)
- Re: How secure is software X? Brian Eaton (May 12)
- Re: How secure is software X? sebastian . rother (May 12)
- Re: How secure is software X? Brian Eaton (May 12)
- Re: How secure is software X? Michael Silk (May 11)
- Re: How secure is software X? Lucien Fransman (May 12)
- Re: How secure is software X? Lucien Fransman (May 12)
- Re: How secure is software X? Roman Medina-Heigl Hernandez (May 13)
- Re: How secure is software X? Valdis . Kletnieks (May 13)
- <Possible follow-ups>
- RE: How secure is software X? Ferguson, Justin (IARC) (May 12)
- Re: How secure is software X? David Litchfield (May 13)
- Re: How secure is software X? Mike Hoskins (May 13)
- Re: How secure is software X? David Litchfield (May 13)