Penetration Testing mailing list archives
RE: Informing Companies about security vulnerabilities...
From: "Craig Wright" <cwright () bdosyd com au>
Date: Fri, 6 Oct 2006 12:41:58 +1000
As to "Anyone else find this appalling?" I would answer yes! As for software glitches - who remembers THERAC-25....? Software bugs can have grave results. There are ways to test and report however. Regards, Craig -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Arian J. Evans Sent: Friday, 6 October 2006 3:40 AM To: pen-test () securityfocus com Subject: RE: Informing Companies about security vulnerabilities...
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Steve Friedl [ snip: security problems found, letters ignored ]Has anyone else gone through a similar situation?The rough breakdown over several years was something like: 80% - got no reply, didn't fix the problem 10% - received thank you, fixed the problem 5% - received thank you, but didn't fix the problem 5% - received hostile reply
Steve summed this up nicely, but I have to say, with small ISV's the hostility factor is around 50% in my case. I have yet to test a document management system that isn't riddled with holes, simply ridiculous, and two of the worst I've seen actually *MARKET* their product as "secure" and tout features that simply do not exist, and threaten you about any discussion of the issues. Unfortunately, certain client verticals (like law firms) are really against disclosure, and since they are my client I march to their beat, so I have a long list of things that are not fixed that will never be discussed, and the issues are actively perpetuated by dishonest vendors. As for the good Samaritan thing, Papa John's cured me of that years ago, and every now and then I get forgetful and send a good Samaritan letter and get smacked again, reminding me that it is dangerous and unbeneficial. //In summary, it's a waste of time IMO.// In related news -- I am seeing more and more ISV's and organizations market "security" as a feature, when they simply don't have it. Some of the worst products I have tested are the ones that market the most dishonestly. (By "simply don't have" I mean advertise your bullet proof user controls, and have trivially broken access controls, or advertise .NET security features and then go turn them all off in your shipping product resulting in SQL injection, trivial XSS, things that you have to work extra hard to make happen in that framework) Anyone else find this appalling? Anyone have any idea what to do about it? Consumers are getting completely hosed on this, with no idea there's an issue. I mean, if I did that with a car, e.g.-"has seat belts and air bags" and it turns out that it doesn't, I'd face massive repercussions, possibly go to jail... Luckily a bad DMS can't kill you yet, just possibly cost you millions of dollars when your key litigation documentation gets in the opposing counsels' hands. Ideas? -ae ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016 00000008bOW ------------------------------------------------------------------------ Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- RE: Informing Companies about security vulnerabilities..., (continued)
- RE: Informing Companies about security vulnerabilities... mr . nasty (Oct 05)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 06)
- Re: RE: RE: Informing Companies about security vulnerabilities... none (Oct 05)
- Re[4]: Informing Companies about security vulnerabilities... Matthew Leeds (Oct 06)
- Re: RE: Informing Companies about security vulnerabilities... stillnone (Oct 05)
- RE: Informing Companies about security vulnerabilities... Craig Wright (Oct 05)
- Re: Informing Companies about security vulnerabilities... Art Cooper (Oct 06)
- RE: Informing Companies about security vulnerabilities... Arian J. Evans (Oct 06)
- RE: Informing Companies about security vulnerabilities... Craig Wright (Oct 06)
- RE: Informing Companies about security vulnerabilities... jason (Oct 06)
- RE: Informing Companies about security vulnerabilities... Craig Wright (Oct 06)
- Informing Companies about security vulnerabilities... Erin Carroll (Oct 06)
- Re: RE: Informing Companies about security vulnerabilities... v0083mw02 (Oct 06)
- Informing Companies about security vulnerabilities... me (Oct 06)
- RE: Informing Companies about security vulnerabilities... Michael Scheidell (Oct 09)
- RE: Informing Companies about security vulnerabilities... mr . nasty (Oct 05)