Penetration Testing mailing list archives
Re: Siebel Vulnerabilities
From: security curmudgeon <jericho () attrition org>
Date: Sat, 6 Aug 2005 04:09:43 -0400 (EDT)
: Don't take vulnerabiltity databases as the holy grail. There are _many_ : products out there whose vulnerabilities do not get press attention or : coverage in vulnerability databases. Almost any complex software systems : (such as Tibco, Tivoli or HP Openview) do have a number of security : issues. However, few people are going to have the opportunity to proper : audit those as only a few corporations run them and people auditing them : are typically under NDA agreements. Unless those that audit produce a : flashy whitepaper ('Security in XXXX') you will never find their : security issues. Of course, some vendors do have a clue and produces : proper security guides for top-notch products that might be usable as an : audit checklist reference. However, these guides might not be publicly : available either. For the most part you are right, but your tone implies they simply don't care, and that is simply false. It doesn't take a flashy whitepaper for several of the VDBs to add an entry. It just takes *one* public source to cite. Some of them will check changelogs, product knowledge bases, vendor mail lists, usenet and more places. If these high end semi proprietary vendors won't publish such information in any form, then VDBs won't have the info. As such, I doubt anyone else except clients (possibly under NDA) and employees would have the information as well. The only way this will change is if folks start posting this information or sharing it with the VDBs provided it does not break any confidentiality agreements. : Trust security vulnerability databases and sources for the common stuff : (i.e. wide-spread applications such as web servers or operating : systems), don't trust them to be accurate when dealing with uncommon : stuff only fortune 100 companies use. Have you actually looked at the VDBs lately? This comment makes me think you haven't. ------------------------------------------------------------------------------ FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 -------------------------------------------------------------------------------
Current thread:
- Re: Siebel Vulnerabilities Javier Fernandez-Sanguino (Aug 02)
- Re: Siebel Vulnerabilities security curmudgeon (Aug 06)
- Re: Siebel Vulnerabilities Javier Fernandez-Sanguino (Aug 09)
- Re: Siebel Vulnerabilities security curmudgeon (Aug 06)