WebApp Sec mailing list archives
Re: testing compiled php
From: "Robin Wood" <dninja () gmail com>
Date: Mon, 21 Aug 2006 09:46:46 +0100
I like both options, I'll talk to the company buying the app, see if they can negociate any source code release, I doubt it but you never know. The second option is the one that I'd like to go with but all I've been paid to do is to get the app installed and running as quickly as possible, there are no funds for me to spend time setting up the extra environment. I may have a go on my own dev box to see how easy it would be so that if there are any problems I would have a working solution ready to implement. Either way, I've made sure that my client knows that I'm not happy with the app and I've documented all I've found so far along with my concerns. I guess that is about all I can do for now then. Ta Robin On 8/19/06, Attila-Mihaly Balazs <abalazs () bitdefender com> wrote:
I see two possible solutions. First maybe you can leverage your (and by this I mean your companies) buying power to get the source code. Maybe you can work out a plan with management (yeah, right :) ). Something along the lines you find X vulnerabilities and then you (your company) presents the findings in a report which goes along the lines: your code is very insecure and if you want you to buy your product, sell it with the source code (probably you have to sign some kind of agreement about not redistributing the source code, but at least you can take a look at it). An other way would be to separate it off your main server by using a virtual machine, an other chrooted instance of apache / mysql or something like that. Backup that virtual server often and make the access as restricted as possible. Make sure you write down the risks the installation of this application creates and communicate it to management, so when it blows up they can't point their fingers at you. Hope this helps. -- This message was scanned for viruses by BitDefender for Linux Mail Servers. For more information please visit http://www.bitdefender.com/
------------------------------------------------------------------------- Sponsored by: WatchfireWatchfire was recently named the worldwide market leader in Web application security assessment tools by both Gartner and IDC. Download a free trial of AppScan today and see why more customers choose AppScan then any other solution. Try it today! https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB
--------------------------------------------------------------------------
Current thread:
- testing compiled php Robin Wood (Aug 18)
- Re: testing compiled php Attila-Mihaly Balazs (Aug 20)
- Re: testing compiled php Robin Wood (Aug 21)
- Re: testing compiled php crazy frog crazy frog (Aug 20)
- Re: testing compiled php Robin Wood (Aug 21)
- Re: testing compiled php Attila-Mihaly Balazs (Aug 20)