Re: McAfee ePolicy Orchestrator Authenticated XXE and Credential Exposure

[Tim <tim-security () sentinelchicken org>]

Hi Brandon,

> I always assume if I have
> found a vulnerability, someone else has found it as well. 

Yes, you should.  For those out there who don't routinely find
vulnerabilities, it is hard for them to understand that these issues
aren't hard to find if you know what you're looking for.  Quite a few
bugs I've found in the past have been found by others independently
and published before I got around to it.  It happens a LOT more than
people think.


Also, I think companies that sell security software should be held to
a higher standard when it comes to fixing bugs.  What's the point in
buying security "solutions" if those solutions make you more
vulnerable?   If they currently can't turn around fixes for
vulnerabilities quickly, then they can:

A. Invest more in their release cycle so new releases can be put out
much more quickly.

B. Invest more in up-front security testing and Q/A, so they aren't
shipping vulnerable code to begin with.

C. Do both A and B


Preventing these bugs isn't black magic.  It isn't rocket surgery.
It's just a matter of getting business leaders to care about shipping
quality code.

tim

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/