[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <166523.1326810045@turing-police.cc.vt.edu>
Date: Tue, 17 Jan 2012 09:20:45 -0500
From: Valdis.Kletnieks@...edu
To: Martijn Broos <martijn.broos@...xion.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Fwd: Rate Stratfor's Incident Response
On Tue, 17 Jan 2012 14:09:13 +0100, Martijn Broos said:
> If programmers are aware of security consequences, they would fix them in the
> first place or try to avoid them.
Unfortunately, there's this problem called "already announced ship date".
Go take a look at Skyrim - they announced 11/11/11 ship date like *months*
beforehand. And yes, it shipped that day - with lots of glitches. The fact
that lots of the glitches were fixed in patches released whithin days after
release indicates that the programming staff knew full well what caused the
glitch and what to do to fix it - they just didn't have time to actually *do*
it before their freeze date to get stuff onto the DVD.
And security bugs are identical to other bugs as far as making a deadline goes
- at soome point somebody has to say "delay it" or "ship it anyhow". Usually,
neither choice is a really good option...
> So I vote for the use of kiddies (only in a controlled test environment).
> This could even be a public test site where this list could try to break the
> stuff as long as you tell me how you did it:)
This sort of public test is almost never a good idea. One of two things happens:
1) The kiddies who do it for a lark break it. Yes, now you know you have
holes. But the rest of the world now knows you couldn't even find the easy
stuff. So you're gonna be dead meat for the vultures once you fix the easy
stuff.
2) The kiddies who do it for a lark don't break it. Doesn't prove squat,
because they almost certainly didn't check the entire attack surface, or try
very hard to break it. A good professional pen test company could still break
it - as could a really good black hat. But neither of them are going to
participate in your public test unless you offer a lot bigger prize (equivalent
to what they'd make for a several-week actual engagement).
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists