[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <99529.1326293077@turing-police.cc.vt.edu>
Date: Wed, 11 Jan 2012 09:44:37 -0500
From: Valdis.Kletnieks@...edu
To: Laurelai <laurelai@...echan.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: Rate Stratfor's Incident Response
On Wed, 11 Jan 2012 01:33:18 CST, Laurelai said:
> If you guys cant scan for basic sql injection and these kids can then
> theres a real problem, thats my point here.
That may or may not be true. Doesn't mean you have the right solution.
Also, you seem to keeo forgetting that this is an asymmetric problem.
The security guy has to scan *every single* entry point of *every single* app
for an SQL injection, which could take a while for a large company. They are usually
limited in how much time they have (two to four weeks, usually). And then scan
for *every other* thing on the OWASP Top 10.
One script kiddie gets lucky and finds one hole, they get their name in the news.
> As the ancient proverb says "Set a thief to catch a thief"
The fact it's a proverb doesn't make it correct or useful in today's world.
http://www.answers.com/topic/set-a-thief-to-catch-a-thief
Maybe in 1665 it was the best way to do it. I'd certainly hope that today with
modern techniques like fingerprints and DNA and surveillance cameras, a
detective is better at chatching thieves than another thief would be.
Remember - the fact the guy knows how to pick a 5-tumbler lock doesn't mean he
knows how to lift the prints off said lock after somebody else did it.
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists