Full Disclosure mailing list archives
Re: Absolute Sownage (A concise history of recent Sony hacks)
From: Valdis.Kletnieks () vt edu
Date: Fri, 10 Jun 2011 21:07:03 -0400
On Sat, 11 Jun 2011 01:36:54 BST, mrx said:
I did the top 10 and hopefully with my limited experience and knowledge in this field have covered them all.
If you did proper checks for the Top 10 (single biggest issue for most of them is remembering to filter *in* valid input, not filter out invalid), and went through your code while thinking to yourself "What would Satan himself put in this field just to make my life miserable?", your code is (unfortunately) probably better than 80-90% of what's out there in production. Even if you don't always succeed at guessing what Satan would put in the field, even all the obvious stuff (too long, too short, unexpected UTF-8, upside-down, whatever) will go a *long* way towards hardening the code. And quite frankly, that may be good enough - if you eliminate 95% of the holes, it may be *effectively* secure, simply because it isn't worth the attacker's time to fight for the other 5% (of course, this also depends on you being "just another one of 140 million .coms", where you don't have to outrun the bear, just the other hiker - if this is highly visible code, of course a higher level of security will be needed...) Oh, and remember that security is trade-offs - spending $10K to fix that last mostly-theoretical hole that will lose you maybe $100 if exploited is simply not worth it. You'll have to assess that cost/value thing based on the actual app and data, of course...
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Absolute Sownage (A concise history of recent Sony hacks) Jeffrey Walton (Jun 10)
- Re: Absolute Sownage (A concise history of recent Sony hacks) mrx (Jun 10)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Nick FitzGerald (Jun 10)
- Re: Absolute Sownage (A concise history of recent Sony hacks) mrx (Jun 10)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Valdis . Kletnieks (Jun 10)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Georgi Guninski (Jun 10)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Nick FitzGerald (Jun 11)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Bruce Ediger (Jun 12)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Thor (Hammer of God) (Jun 12)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Georgi Guninski (Jun 12)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Nick FitzGerald (Jun 10)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Sihan (Jun 11)
- Re: Absolute Sownage (A concise history of recent Sony hacks) coderman (Jun 14)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Valdis . Kletnieks (Jun 16)
- Re: Absolute Sownage (A concise history of recent Sony hacks) coderman (Jun 16)
- Re: Absolute Sownage (A concise history of recent Sony hacks) mrx (Jun 16)
- Re: Absolute Sownage (A concise history of recent Sony hacks) mrx (Jun 10)