Re: Siebel Vulnerabilities

[security curmudgeon <jericho () attrition org>]

: Don't take vulnerabiltity databases as the holy grail. There are _many_ 
: products out there whose vulnerabilities do not get press attention or 
: coverage in vulnerability databases. Almost any complex software systems 
: (such as Tibco, Tivoli or HP Openview) do have a number of security 
: issues. However, few people are going to have the opportunity to proper 
: audit those as only a few corporations run them and people auditing them 
: are typically under NDA agreements. Unless those that audit produce a 
: flashy whitepaper ('Security in XXXX') you will never find their 
: security issues. Of course, some vendors do have a clue and produces 
: proper security guides for top-notch products that might be usable as an 
: audit checklist reference. However, these guides might not be publicly 
: available either.

For the most part you are right, but your tone implies they simply don't 
care, and that is simply false. It doesn't take a flashy whitepaper for 
several of the VDBs to add an entry. It just takes *one* public source to 
cite. Some of them will check changelogs, product knowledge bases, vendor 
mail lists, usenet and more places.

If these high end semi proprietary vendors won't publish such information 
in any form, then VDBs won't have the info. As such, I doubt anyone else 
except clients (possibly under NDA) and employees would have the 
information as well. The only way this will change is if folks start 
posting this information or sharing it with the VDBs provided it does not 
break any confidentiality agreements.

: Trust security vulnerability databases and sources for the common stuff 
: (i.e. wide-spread applications such as web servers or operating 
: systems), don't trust them to be accurate when dealing with uncommon 
: stuff only fortune 100 companies use.

Have you actually looked at the VDBs lately? This comment makes me think 
you haven't.

------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------