Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: testing compiled php

from [Robin Wood] Network Security [Permanent Link]
Subject: Re: testing compiled php
Date: Mon, 21 Aug 2006 09:46:46 +0100 
I like both options, I'll talk to the company buying the app, see if
they can negociate any source code release, I doubt it but you never
know.

The second option is the one that I'd like to go with but all I've
been paid to do is to get the app installed and running as quickly as
possible, there are no funds for me to spend time setting up the extra
environment. I may have a go on my own dev box to see how easy it
would be so that if there are any problems I would have a working
solution ready to implement.

Either way, I've made sure that my client knows that I'm not happy
with the app and I've documented all I've found so far along with my
concerns. I guess that is about all I can do for now then.

Ta

Robin

On 8/19/06, Attila-Mihaly Balazs <abalazs@bitdefender.com> wrote: 
I see two possible solutions. First maybe you can leverage your (and by
this I mean your companies) buying power to get the source code. Maybe
you can work out a plan with management (yeah, right :) ). Something
along the lines you find X vulnerabilities and then you (your company)
presents the findings in a report which goes along the lines: your code
is very insecure and if you want you to buy your product, sell it with
the source code (probably you have to sign some kind of agreement about
not redistributing the source code, but at least you can take a look at it).

An other way would be to separate it off your main server by using a
virtual machine, an other chrooted instance of apache / mysql or
something like that. Backup that virtual server often and make the
access as restricted as possible. Make sure you write down the risks the
installation of this application creates and communicate it to
management, so when it blows up they can't point their fingers at you.

Hope this helps.

--
This message was scanned for viruses by BitDefender for Linux Mail Servers.
For more information please visit http://www.bitdefender.com/



-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire was recently named the worldwide market leader in Web application security assessment tools by both Gartner and IDC. Download a free trial of AppScan today and see why more customers choose AppScan then any other solution. Try it today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB
--------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: testing compiled php, Robin Wood
Next by Date:  Administrivia: Move the list?, Andrew van der Stock
Previous by Thread:  Re: testing compiled php, Attila-Mihaly Balazs
Next by Thread:  Re: testing compiled php, crazy frog crazy frog
Indexes:  [Date] [Thread] [Top] [All Lists]