Full Disclosure mailing list archives
Re: Fwd: Rate Stratfor's Incident Response
From: Valdis.Kletnieks () vt edu
Date: Wed, 11 Jan 2012 09:44:37 -0500
On Wed, 11 Jan 2012 01:33:18 CST, Laurelai said:
If you guys cant scan for basic sql injection and these kids can then theres a real problem, thats my point here.
That may or may not be true. Doesn't mean you have the right solution. Also, you seem to keeo forgetting that this is an asymmetric problem. The security guy has to scan *every single* entry point of *every single* app for an SQL injection, which could take a while for a large company. They are usually limited in how much time they have (two to four weeks, usually). And then scan for *every other* thing on the OWASP Top 10. One script kiddie gets lucky and finds one hole, they get their name in the news.
As the ancient proverb says "Set a thief to catch a thief"
The fact it's a proverb doesn't make it correct or useful in today's world. http://www.answers.com/topic/set-a-thief-to-catch-a-thief Maybe in 1665 it was the best way to do it. I'd certainly hope that today with modern techniques like fingerprints and DNA and surveillance cameras, a detective is better at chatching thieves than another thief would be. Remember - the fact the guy knows how to pick a 5-tumbler lock doesn't mean he knows how to lift the prints off said lock after somebody else did it.
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Fwd: Rate Stratfor's Incident Response, (continued)
- Re: Fwd: Rate Stratfor's Incident Response Ferenc Kovacs (Jan 10)
- Re: Fwd: Rate Stratfor's Incident Response Jeffrey Walton (Jan 10)
- Re: Fwd: Rate Stratfor's Incident Response Byron Sonne (Jan 10)
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 10)
- Message not available
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 10)
- Re: Fwd: Rate Stratfor's Incident Response Kyle Creyts (Jan 11)
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 10)
- Re: Fwd: Rate Stratfor's Incident Response James Smith (Jan 10)
- Re: Fwd: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 10)
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 10)
- Re: Fwd: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 11)
- Re: Fwd: Rate Stratfor's Incident Response Ian Hayes (Jan 11)
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 11)
- Re: Fwd: Rate Stratfor's Incident Response Ferenc Kovacs (Jan 11)
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 11)
- Re: Fwd: Rate Stratfor's Incident Response Dan Ballance (Jan 12)
- Re: Fwd: Rate Stratfor's Incident Response Kyle Creyts (Jan 12)
- Re: Fwd: Rate Stratfor's Incident Response coderman (Jan 16)
- Re: Rate Stratfor's Incident Response Benjamin Kreuter (Jan 12)
- Re: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 12)
- Re: Rate Stratfor's Incident Response Laurelai (Jan 12)