Penetration Testing mailing list archives
RE: Informing Companies about security vulnerabilities...
From: "Arian J. Evans" <arian.evans () anachronic com>
Date: Thu, 5 Oct 2006 12:39:38 -0500
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Steve Friedl [ snip: security problems found, letters ignored ]Has anyone else gone through a similar situation?The rough breakdown over several years was something like: 80% - got no reply, didn't fix the problem 10% - received thank you, fixed the problem 5% - received thank you, but didn't fix the problem 5% - received hostile reply
Steve summed this up nicely, but I have to say, with small ISV's the hostility factor is around 50% in my case. I have yet to test a document management system that isn't riddled with holes, simply ridiculous, and two of the worst I've seen actually *MARKET* their product as "secure" and tout features that simply do not exist, and threaten you about any discussion of the issues. Unfortunately, certain client verticals (like law firms) are really against disclosure, and since they are my client I march to their beat, so I have a long list of things that are not fixed that will never be discussed, and the issues are actively perpetuated by dishonest vendors. As for the good Samaritan thing, Papa John's cured me of that years ago, and every now and then I get forgetful and send a good Samaritan letter and get smacked again, reminding me that it is dangerous and unbeneficial. //In summary, it's a waste of time IMO.// In related news -- I am seeing more and more ISV's and organizations market "security" as a feature, when they simply don't have it. Some of the worst products I have tested are the ones that market the most dishonestly. (By "simply don't have" I mean advertise your bullet proof user controls, and have trivially broken access controls, or advertise .NET security features and then go turn them all off in your shipping product resulting in SQL injection, trivial XSS, things that you have to work extra hard to make happen in that framework) Anyone else find this appalling? Anyone have any idea what to do about it? Consumers are getting completely hosed on this, with no idea there's an issue. I mean, if I did that with a car, e.g.-"has seat belts and air bags" and it turns out that it doesn't, I'd face massive repercussions, possibly go to jail... Luckily a bad DMS can't kill you yet, just possibly cost you millions of dollars when your key litigation documentation gets in the opposing counsels' hands. Ideas? -ae ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Informing Companies about security vulnerabilities... Joseph McCray (Oct 04)
- RE: Informing Companies about security vulnerabilities... Clemens, Dan (Oct 04)
- Re: Informing Companies about security vulnerabilities... Steve Friedl (Oct 04)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 05)
- Re: Informing Companies about security vulnerabilities... Andreas Putzo (Oct 04)
- Re: Informing Companies about security vulnerabilities... Jex (Oct 04)
- Re: Informing Companies about security vulnerabilities... Wolf Halton (Oct 04)
- Re: Informing Companies about security vulnerabilities... Micro Kluge (Oct 06)
- Re: Informing Companies about security vulnerabilities... pand0ra (Oct 04)
- Re: Informing Companies about security vulnerabilities... Andreas Putzo (Oct 05)
- Re: Informing Companies about security vulnerabilities... Steve Friedl (Oct 05)
- Re: Informing Companies about security vulnerabilities... pand0ra (Oct 05)
- Re: Informing Companies about security vulnerabilities... s-williams (Oct 05)
- Re: Informing Companies about security vulnerabilities... Dan Catalin Vasile (Oct 05)