Full Disclosure mailing list archives
Re: Fwd: Rate Stratfor's Incident Response
From: Valdis.Kletnieks () vt edu
Date: Tue, 17 Jan 2012 09:20:45 -0500
On Tue, 17 Jan 2012 14:09:13 +0100, Martijn Broos said:
If programmers are aware of security consequences, they would fix them in the first place or try to avoid them.
Unfortunately, there's this problem called "already announced ship date". Go take a look at Skyrim - they announced 11/11/11 ship date like *months* beforehand. And yes, it shipped that day - with lots of glitches. The fact that lots of the glitches were fixed in patches released whithin days after release indicates that the programming staff knew full well what caused the glitch and what to do to fix it - they just didn't have time to actually *do* it before their freeze date to get stuff onto the DVD. And security bugs are identical to other bugs as far as making a deadline goes - at soome point somebody has to say "delay it" or "ship it anyhow". Usually, neither choice is a really good option...
So I vote for the use of kiddies (only in a controlled test environment). This could even be a public test site where this list could try to break the stuff as long as you tell me how you did it:)
This sort of public test is almost never a good idea. One of two things happens: 1) The kiddies who do it for a lark break it. Yes, now you know you have holes. But the rest of the world now knows you couldn't even find the easy stuff. So you're gonna be dead meat for the vultures once you fix the easy stuff. 2) The kiddies who do it for a lark don't break it. Doesn't prove squat, because they almost certainly didn't check the entire attack surface, or try very hard to break it. A good professional pen test company could still break it - as could a really good black hat. But neither of them are going to participate in your public test unless you offer a lot bigger prize (equivalent to what they'd make for a several-week actual engagement).
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Fwd: Rate Stratfor's Incident Response, (continued)
- Re: Fwd: Rate Stratfor's Incident Response Ferenc Kovacs (Jan 12)
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 12)
- Re: Fwd: Rate Stratfor's Incident Response doc mombasa (Jan 12)
- Re: Fwd: Rate Stratfor's Incident Response Ferenc Kovacs (Jan 12)
- Re: Fwd: Rate Stratfor's Incident Response doc mombasa (Jan 12)
- Re: Fwd: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 12)
- Re: Fwd: Rate Stratfor's Incident Response Paul Schmehl (Jan 13)
- Re: Fwd: Rate Stratfor's Incident Response Jeffrey Walton (Jan 16)
- Re: Fwd: Rate Stratfor's Incident Response E M (Jan 17)
- Re: Fwd: Rate Stratfor's Incident Response Martijn Broos (Jan 17)
- Re: Fwd: Rate Stratfor's Incident Response Valdis . Kletnieks (Jan 17)
- Re: Fwd: Rate Stratfor's Incident Response Kurt Buff (Jan 07)
- Re: Fwd: Rate Stratfor's Incident Response Jeffrey Walton (Jan 07)
- Re: Fwd: Rate Stratfor's Incident Response Laurelai (Jan 12)