lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <021101c6756c$5bc06110$2201a8c0@ngssoftware.com>
Date: Fri, 12 May 2006 03:32:47 +0100
From: "David Litchfield" <davidl@...software.com>
To: <michaelslists@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, ntbugtraq@...tserv.ntbugtraq.com,
	bugtraq@...urityfocus.com, dbsec@...elists.org
Subject: Re: How secure is software X?


From: "Michael Silk" <michaelslists@...il.com>

<SNIP>

>why do we need this?

Take your average bit of common software. I can bet someone's thrown Spike 
at it, someone else crazyfuzz, and another foofuz. Now let's say that it 
stood up to everything that was thrown at it - and let's say another product 
crumbled in the first few seconds. I'd rather have the first product on my 
network if, as a business requirement, I need the functionality that that 
software provided. Sure - it's not a guarantee that it's devoid of security 
vulnerability but I can be assured that the software's not going to fall to 
a script kiddie.

If a product did stand up the Spike, crazyfuzz and foofuzz then let's talk 
about it! The problem is you only ever hear about when these fuzzers 
actually find things.

What I'm suggesting is simply collating our bug-hunting collective knowledge 
into a standard. Those who wish to protect their "trade secret bug find 
techniques" don't have to play if they don't want.

But in answering "why do we need this?" you clearly don't - but there are 
people out there that do need this - or at least would like it.

>you're referring to what already takes place commercially.
>"hi i want a security assessment".
>who's going to do these assessments for free? who confirms that the
>people doing the assessment know what they are doing?

The thing with a standard is that it is a standard. A such efforts should be 
entirely reproducible. Have 3 or more people follow that standard and 
compare results at the end. If there's a discrepancy someone's not following 
the standard. The other aspect of course that it's trivial to write and 
verify tools that follow a standard.


>"Customer: I was hacked .." -> me: -> "David Litchfield told me it was
>secure, blame him" -> "David Litchfield: Oh no, our VAAL is just a
>guide." -> "Customer: So why the hell do I care about it then?"

>Guides for people to use are okay (hello OWASP Guide, and others) but
>all your trying to start is a non-commercial free security assessment
>service.

Absolutely. Let's face it - it's what goes on every day, anyway. At least 
people who care about assurance would be able to make something useful out 
of all that effort. Besides, who said it had to be free? Like CC - if a 
company wanted their product evaluated they could pay for it. Or not. I'm 
sure cost will become relevant at some point but not now. I'm more 
interested in the technical merits at the moment.

Cheers,
David Litchfield
http://www.databasesecurity.com/
http://www.ngssoftware.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ