lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <59090.1307754423@turing-police.cc.vt.edu>
Date: Fri, 10 Jun 2011 21:07:03 -0400
From: Valdis.Kletnieks@...edu
To: mrx <mrx@...pergander.org.uk>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Absolute Sownage (A concise history of recent
	Sony hacks)

On Sat, 11 Jun 2011 01:36:54 BST, mrx said:
> I did the top 10 and hopefully with my limited experience and knowledge in
> this field have covered them all.

If you did proper checks for the Top 10 (single biggest issue for most of them
is remembering to filter *in* valid input, not filter out invalid), and went
through your code while thinking to yourself "What would Satan himself put in
this field just to make my life miserable?",  your code is (unfortunately)
probably better than 80-90% of what's out there in production.

Even if you don't always succeed at guessing what Satan would put in the field,
even all the obvious stuff (too long, too short, unexpected UTF-8, upside-down,
whatever) will go a *long* way towards hardening the code.  And quite frankly,
that may be good enough - if you eliminate 95% of the holes, it may be
*effectively* secure, simply because it isn't worth the attacker's time to
fight for the other 5% (of course, this also depends on you being "just another
one of 140 million .coms", where you don't have to outrun the bear, just the
other hiker - if this is highly visible code, of course a higher level of
security will be needed...)

Oh, and remember that security is trade-offs - spending $10K to fix that last
mostly-theoretical hole that will lose you maybe $100 if exploited is simply
not worth it.  You'll have to assess that cost/value thing based on the actual
app and data, of course...


Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ