From: Craig Wright (cwright@bdosyd.com.au)
Date: Thu Oct 05 2006 - 22:41:58 EDT
As to "Anyone else find this appalling?" I would answer yes!
As for software glitches - who remembers THERAC-25....?
Software bugs can have grave results. There are ways to test and report
however.
Regards,
Craig
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Arian J. Evans
Sent: Friday, 6 October 2006 3:40 AM
To: pen-test@securityfocus.com
Subject: RE: Informing Companies about security vulnerabilities...
> -----Original Message-----
> From: listbounce@securityfocus.com
> [mailto:listbounce@securityfocus.com] On Behalf Of Steve Friedl
>
> [ snip: security problems found, letters ignored ]
>
> > Has anyone else gone through a similar situation?
>
> The rough breakdown over several years was something like:
>
> 80% - got no reply, didn't fix the problem
> 10% - received thank you, fixed the problem
> 5% - received thank you, but didn't fix the problem
> 5% - received hostile reply
Steve summed this up nicely, but I have to say, with small
ISV's the hostility factor is around 50% in my case. I have
yet to test a document management system that isn't riddled
with holes, simply ridiculous, and two of the worst I've
seen actually *MARKET* their product as "secure" and tout
features that simply do not exist, and threaten you about
any discussion of the issues.
Unfortunately, certain client verticals (like law firms)
are really against disclosure, and since they are my client
I march to their beat, so I have a long list of things
that are not fixed that will never be discussed, and the
issues are actively perpetuated by dishonest vendors.
As for the good Samaritan thing, Papa John's cured me of
that years ago, and every now and then I get forgetful
and send a good Samaritan letter and get smacked again,
reminding me that it is dangerous and unbeneficial.
//In summary, it's a waste of time IMO.//
In related news -- I am seeing more and more ISV's and
organizations market "security" as a feature, when they
simply don't have it. Some of the worst products I have
tested are the ones that market the most dishonestly.
(By "simply don't have" I mean advertise your bullet
proof user controls, and have trivially broken access
controls, or advertise .NET security features and then
go turn them all off in your shipping product resulting
in SQL injection, trivial XSS, things that you have to
work extra hard to make happen in that framework)
Anyone else find this appalling? Anyone have any idea
what to do about it? Consumers are getting completely
hosed on this, with no idea there's an issue.
I mean, if I did that with a car, e.g.-"has seat belts
and air bags" and it turns out that it doesn't, I'd face
massive repercussions, possibly go to jail...
Luckily a bad DMS can't kill you yet, just possibly cost
you millions of dollars when your key litigation
documentation gets in the opposing counsels' hands.
Ideas?
-ae
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------
Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.
DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.
Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.
BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:08 EDT