Firewall Wizards mailing list archives
RE: Vulnerability Response (was: BGP TCP RST Attacks)
From: "Paul D. Robertson" <paul () compuwar net>
Date: Fri, 4 Jun 2004 15:27:16 -0400 (EDT)
On Fri, 4 Jun 2004, Ben Nagy wrote:
Current vulnerability research is finding lots of lots of amusing ways to make software fail in spite of "Secure Development Practices".
Yes, but that's mostly immaterial the the point- which was inserting the security function into the product evaluation phase by making vendors do the security dance, letting the users see that despite the marketing glossies, the vendors have No Clue[tm] of what's really in their products unless they're doing things well- if they are, then they're likely to have reduced more risk than their competitors.
The thing is that even good methodology can create bugs that are nearly impossible to find with manual or automatic code auditing tools - as long as
Yes, but bad methodology creates more bugs- so it's still a general win.
Rather than measuring on (known) bugs/kloc I think it would be better to ask "What is your approach to fault test your own object code?", "How do you plan for component failure" and that kind of thing. Vendors that don't test their code using the same methods as attackers will get 0wned. This is why
Vendors don't need to be attackers, they just have to know how to code well, and know what attacks exist, and how to not have them. Like all things, it's relative, but just like inspecting a configuration versus scanning a system- when you have the source, you get more accuracy from looking at it[0] than from trying it[1]. [0] Assuming you know what you're looking at. [1] Assuming no environmental issues. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Vulnerability Response (was: BGP TCP RST Attacks), (continued)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Devdas Bhagat (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) George Capehart (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) George Capehart (Jun 02)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) David Lang (Jun 02)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) George Capehart (Jun 03)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 03)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Gwendolynn ferch Elydyr (Jun 03)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 03)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Ben Nagy (Jun 04)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 04)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Ben Nagy (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Marcus J. Ranum (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) Paul D. Robertson (Jun 01)
- RE: Vulnerability Response (was: BGP TCP RST Attacks) R. DuFresne (Jun 01)
- Re: Vulnerability Response (was: BGP TCP RST Attacks) M. Dodge Mumford (Jun 01)