Re: [Full-disclosure] How secure is software X?

To: <michaelslists@xxxxxxxxx>
Subject: Re: [Full-disclosure] How secure is software X?
From: "David Litchfield" <davidl@xxxxxxxxxxxxxxx>
Date: Fri, 12 May 2006 03:32:47 +0100
Cc: <bugtraq@xxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>, <ntbugtraq@xxxxxxxxxxxxxxxxxxxxxx>, <dbsec@xxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <01fe01c67567$ad61b1e0$2201a8c0@xxxxxxxxxxxxxxx> <5e01c29a0605111909l577d8b2ctbd427caee7aa945f@xxxxxxxxxxxxxx>

From: "Michael Silk" <michaelslists@xxxxxxxxx>

<SNIP>

why do we need this?

Take your average bit of common software. I can bet someone's thrown Spikeat it, someone else crazyfuzz, and another foofuz. Now let's say that itstood up to everything that was thrown at it - and let's say another productcrumbled in the first few seconds. I'd rather have the first product on mynetwork if, as a business requirement, I need the functionality that thatsoftware provided. Sure - it's not a guarantee that it's devoid of securityvulnerability but I can be assured that the software's not going to fall toa script kiddie.

If a product did stand up the Spike, crazyfuzz and foofuzz then let's talkabout it! The problem is you only ever hear about when these fuzzersactually find things.

What I'm suggesting is simply collating our bug-hunting collective knowledgeinto a standard. Those who wish to protect their "trade secret bug findtechniques" don't have to play if they don't want.

But in answering "why do we need this?" you clearly don't - but there arepeople out there that do need this - or at least would like it.

you're referring to what already takes place commercially.
"hi i want a security assessment".
who's going to do these assessments for free? who confirms that the
people doing the assessment know what they are doing?

The thing with a standard is that it is a standard. A such efforts should beentirely reproducible. Have 3 or more people follow that standard andcompare results at the end. If there's a discrepancy someone's not followingthe standard. The other aspect of course that it's trivial to write andverify tools that follow a standard.

"Customer: I was hacked .." -> me: -> "David Litchfield told me it was
secure, blame him" -> "David Litchfield: Oh no, our VAAL is just a
guide." -> "Customer: So why the hell do I care about it then?"

Guides for people to use are okay (hello OWASP Guide, and others) but
all your trying to start is a non-commercial free security assessment
service.

Absolutely. Let's face it - it's what goes on every day, anyway. At leastpeople who care about assurance would be able to make something useful outof all that effort. Besides, who said it had to be free? Like CC - if acompany wanted their product evaluated they could pay for it. Or not. I'msure cost will become relevant at some point but not now. I'm moreinterested in the technical merits at the moment.


Cheers,
David Litchfield
http://www.databasesecurity.com/
http://www.ngssoftware.com/

References:
- How secure is software X?
  - From: David Litchfield
- Re: [Full-disclosure] How secure is software X?
  - From: Michael Silk

Prev by Date: [Kurdish Security # 7] Foing Remote File Include Vulnerability [PHPBB]
Next by Date: TSLSA-2006-0026 - kernel
Previous by thread: Re: [Full-disclosure] How secure is software X?
Next by thread: Re: How secure is software X?
Index(es):
- Date
- Thread