Re: Penetration testing via shrinkware

[John McDermott <jjm () jkintl com>]

--- On Sat, 19 Sep 1998 23:26:59 -0400 (EDT)  "Paul D. Robertson" 
<proberts () clark net> wrote:


> HTTP is an open-ended protocol specification with some _limitless_ size 
> specifications, I submit that it is beyond "difficult" to verify correct 
> functionality of a layer 5 transport protocol.  Testing just buffer 
> overflows on limitless length objects would seem to be less than an ideal 
> situation. 

Absolutly.

>        Proxies are much easier to verify than stateful filters under 

No doubt about that.

> the same circumstances, but once again, the source code is probably going 
> to give you a much higher level of assurance that oversized objects are 
> correctly handled unless you don't go look at the souce to the library 
> routines as well, in which case you can either do that, or accept a lower 
> level of assurance by banging against the calls with a substantial set of 
> test data.


I do not disagree with this. My real concern is that you have to know what 
to look for.  If the designers of the versions of the code which have 
"security holes" had known what to look for, they would have (hopefully!) 
done things correctly.  My real concern is that the inspectors have to know 
what to look for.

You are also making an assumption that I was not: that the tester has 
access to the source code.  I doubt if I could go to vendor "X" and tell 
them that I want to verify the security of a firewall for my client and 
could I have a peek at the source.   Maybe if my client were big enough I 
could, but for many of us that is not an option.  Just out of curiousity 
does ICSA look at the source for certification?


> Paul

--john

-----------------End of Original Message-----------------

-------------------------------------
Name: John McDermott
VOICE: 505/377-6293 FAX 505/377-6313
E-mail: John McDermott <jjm () jkintl com>
Writer and Computer Consultant
-------------------------------------