Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] How secure is software X?

from [David Litchfield] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] How secure is software X?
Date: Fri, 12 May 2006 03:32:47 +0100 
From: "Michael Silk" <michaelslists@gmail.com>

<SNIP>

why do we need this?

Take your average bit of common software. I can bet someone's thrown Spike at it, someone else crazyfuzz, and another foofuz. Now let's say that it stood up to everything that was thrown at it - and let's say another product crumbled in the first few seconds. I'd rather have the first product on my network if, as a business requirement, I need the functionality that that software provided. Sure - it's not a guarantee that it's devoid of security vulnerability but I can be assured that the software's not going to fall to a script kiddie.

If a product did stand up the Spike, crazyfuzz and foofuzz then let's talk about it! The problem is you only ever hear about when these fuzzers actually find things.

What I'm suggesting is simply collating our bug-hunting collective knowledge into a standard. Those who wish to protect their "trade secret bug find techniques" don't have to play if they don't want.

But in answering "why do we need this?" you clearly don't - but there are people out there that do need this - or at least would like it.

you're referring to what already takes place commercially.
"hi i want a security assessment".
who's going to do these assessments for free? who confirms that the
people doing the assessment know what they are doing?

The thing with a standard is that it is a standard. A such efforts should be entirely reproducible. Have 3 or more people follow that standard and compare results at the end. If there's a discrepancy someone's not following the standard. The other aspect of course that it's trivial to write and verify tools that follow a standard.


"Customer: I was hacked .." -> me: -> "David Litchfield told me it was
secure, blame him" -> "David Litchfield: Oh no, our VAAL is just a
guide." -> "Customer: So why the hell do I care about it then?"


Guides for people to use are okay (hello OWASP Guide, and others) but
all your trying to start is a non-commercial free security assessment
service.

Absolutely. Let's face it - it's what goes on every day, anyway. At least people who care about assurance would be able to make something useful out of all that effort. Besides, who said it had to be free? Like CC - if a company wanted their product evaluated they could pay for it. Or not. I'm sure cost will become relevant at some point but not now. I'm more interested in the technical merits at the moment.

Cheers,
David Litchfield
http://www.databasesecurity.com/
http://www.ngssoftware.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] How secure is software X?, Michael Silk
Next by Date:  [Full-disclosure] Re: How secure is software X?, Adam Shostack
Previous by Thread:  Re: [Full-disclosure] How secure is software X?, Michael Silk
Next by Thread:  [Full-disclosure] Re: How secure is software X?, Adam Shostack
Indexes:  [Date] [Thread] [Top] [All Lists]