Penetration Testing mailing list archives
[PEN-TEST] Design and maintenance of secure systems (was Re: IIS4/5)
From: Bennett Todd <bet () RAHUL NET>
Date: Fri, 22 Dec 2000 10:26:29 -0500
2000-12-21-13:32:41 Ryan Russell:
[...] Assuming you've got your patches and permissions/configurations in place, you're relatively safe until the next public hole is announced. That means you'll have to keep an eye on new holes being announced. You'll never be able to put it in place, and walk away confident that it will be safe forever.
That's definitely true with some systems (including the one that provoked this thread). It's generally the nature of systems that have more features than the designers and implementers of the system are capable of handling correctly.
You can't do that with any system.
Today, you can't do that with any system that's handling really complex and elaborate server-side dynamic content with more efficient implementations than CGI. You can get awfully close by using an exceedingly simple config of an exceedingly simple webserver to implement a simple design; unfortunately, the one webserver which I'd truly trust to be 100% perfectly secure indefinitely doesn't support even CGI, so no dynamic content at all.
I could get into which sets of software I'd prefer to try and minimize the number of holes that crop up in the future, and minimize the number of times I have to apply a patch in the middle of the night with no advanced warning, but that's really a different question.
A different question perhaps, but a valuable one to consider. Could even imagine it has a bearing on pen-testing; the most important step in security evaluation in general is estimating the overall security of the target system, and appraising where, if anywhere, it might be vulnerable. With appropriate choice of platform, daemons, and configuration, accepting limits to functionality where needed to achive good security, you can come close enough to a fire-and-forget security solution for many purposes. Different folks will cite different tools as relevant for this job, but it's probably a good idea for a pen-tester to be sufficiently familiar with them that they know where they can be misconfigured to introduce problems, and how to quickly check them over to satisfy yourself that there are none; it's too easy to waste time hammering a system that's not gonna crack. -Bennett
Attachment:
_bin
Description:
Current thread:
- [PEN-TEST] [pen-test] IIS4/5 Mattias Tiasen (Dec 21)
- Re: [PEN-TEST] [pen-test] IIS4/5 Ryan Russell (Dec 21)
- [PEN-TEST] Design and maintenance of secure systems (was Re: IIS4/5) Bennett Todd (Dec 22)
- Re: [PEN-TEST] [pen-test] IIS4/5 Ryan Russell (Dec 21)