Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes)

From: "Rhys Kidd" <rhyskidd () gmail com>
Date: Thu, 16 Nov 2006 20:19:29 +0800
On 11/16/06, dan () geer org <dan () geer org> wrote:



| I think the real point here is that the majority of people responsible
| for security have a backwards mindset.  Most security practitioners
| still don't make the assumption that everything is vulnerable and
| design around it.  Of course IIS is vulnerable to an unpublished 0day.


so, should one write apps with the assumption that
will be running on compromised hosts?

--dan




Or maybe one should write apps with the assumption that their code will be
the REASON they are running on compromised hosts, so they drop root
priveleges as soon as possible, scan code with Coverity/smatch/flawfinder,
and utilise compiler-time protections where available (SafeSEH, /GS, ASLR
bit).

case-in-point: MS released their latest DCERPC/SMB patches this month, but
it doesn't mean they now turn around and say to customers that, "Oh, yeah
that's the last of them resolved, our products are now secure again".

- Rhys

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: