lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 10 Jul 2006 19:37:42 -0600
From: Joel Maslak <jmaslak@...elope.net>
To: bugtraq@...urityfocus.com
Subject: Re: LAMP vs Microsoft

On Jul 10, 2006, at 11:50 AM, Bob Beck wrote:

> 	Yes, but what are you hoping to prove with those numbers. I think all
> you're demonstrating is what things get more attention, likely due to
> their popularity, so they make a more interesting target.  I.E.  just
> because you don't find hardly any vulnerabilities for web apps
> deployed using ANFC (ANFC == AIX, NetCat, Flat Files, and C (please
> sir can I have another..)[1]) doens't mean those that are aren't rife
> with them.

Exactly.

I have seen far too many Perl/PHP/ASP/ASP.NET/whatever apps that  
can't figure out how to do really simple stuff like quote special  
characters before passing things to a database (or, better yet, using  
stored procedures and your web language's built in parameterized SQL  
exec functions - but that'll start a different religious war).

If you are defending against the next Internet Worm, then these  
numbers may matter.  But if you are defending against data being  
compromised, the architecture of your system is much more important.

In fact, I've pretty much reduced website auditing to a single  
question (yes, it really is more complicated than this, but most  
sites fail on just this one, regardless of platform):

True/False: Someone who becomes an administrator on your public- 
facing web server can read all the data in your database?

If you answer "true" then you've already failed.  Regardless of Linux  
or Windows usage.  Does it matter if you have less bugs if it only  
takes one bug to compromise your entire architecture?


> [1] Yes, I have seen an ANFC used for real [2]
> [2] Yes, it had a hole.


I've seen very few custom web apps that *don't* have a hole.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ