Dailydave mailing list archives
Re: [Fwd: Why I love Spike..]
From: Dave Aitel <dave () immunitysec com>
Date: Thu, 16 Sep 2004 22:56:04 -0400
Matt Hargett wrote:
Mike Bailey wrote:I tried hard to make SPIKE as unusable as possible, and yet still people use it. QA teams, for the most part, don't however. I believe this is because most of them don't have anyone on staff who knows C, which is probably the original idea behind Greg Hoglund putting a GUI on a fuzzer and trying to resell it to them. I still think this would work, if you priced it right. Something simple, but customizable.It would certainly sell. Make it really intuitive to help coddle theprocess along and relatively inexpensive so as not to choke the budgets and people would use it. From QA staff to sysadmins to security folk. It'salready powerful, It just needs "simple" to get into the hands of themasses.I beg to differ. After working in QA for 6 years (mostly in the security space), I did a lot of "fuzzing" testing manually, built custom tools to do it, combined it with runtime analysis, etc. When I went to ClickToSecure to work on Hailstorm, I thought it was the perfect tool for security QA people. I was wrong.The approach is intrinsically flawed, far too involved given the amount of time people are generally given to test, has no good way to do fault detection, has no good way to measure code coverage (and therefore the effectiveness of the fault injection), etc, etc. This is all detailed in a talk I have yet to give. (Maybe I should resubmit to Blackhat?)
Hmm. I think maybe Cenzic has the right idea. Drop the whole arbitrary protocol, and focus on the HTTP thing. Maybe even drop a shim into a win32 process if you feel like it to detect CreateProcesA and fopen() style bugs. Simple stuff. But a lot of QA depts I work with are still cutting and pasting long strings into explorer windows to test for overflows. And they use all sorts of tools for automation of functionality testing, but if you priced it right, they'd use another tool for overflows and SQL injection. I think the problem is selling it sometimes - you really do want to have a large consulting arm that sells it, rather than a sales force. It would have done well at @stake. :>
-dave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- [Fwd: Why I love Spike..] Dave Aitel (Sep 16)
- RE: [Fwd: Why I love Spike..] Mike Bailey (Sep 16)
- <Possible follow-ups>
- RE: [Fwd: Why I love Spike..] Anton A. Chuvakin (Sep 16)
- RE: [Fwd: Why I love Spike..] Mike Bailey (Sep 16)
- RE: [Fwd: Why I love Spike..] Tom Parker (Sep 16)
- Re: [Fwd: Why I love Spike..] Matt Hargett (Sep 16)
- Re: [Fwd: Why I love Spike..] Dave Aitel (Sep 16)
- Re: [Fwd: Why I love Spike..] Matt Hargett (Sep 17)
- Re: [Fwd: Why I love Spike..] Dave Aitel (Sep 16)