lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20150112222024.GZ1779@sentinelchicken.org>
Date: Mon, 12 Jan 2015 14:20:24 -0800
From: Tim <tim-security@...tinelchicken.org>
To: Brandon Perry <bperry.volatile@...il.com>
Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] McAfee ePolicy Orchestrator Authenticated XXE and
 Credential Exposure


Hi Brandon,

> I always assume if I have
> found a vulnerability, someone else has found it as well. 

Yes, you should.  For those out there who don't routinely find
vulnerabilities, it is hard for them to understand that these issues
aren't hard to find if you know what you're looking for.  Quite a few
bugs I've found in the past have been found by others independently
and published before I got around to it.  It happens a LOT more than
people think.


Also, I think companies that sell security software should be held to
a higher standard when it comes to fixing bugs.  What's the point in
buying security "solutions" if those solutions make you more
vulnerable?   If they currently can't turn around fixes for
vulnerabilities quickly, then they can:

A. Invest more in their release cycle so new releases can be put out
much more quickly.

B. Invest more in up-front security testing and Q/A, so they aren't
shipping vulnerable code to begin with.

C. Do both A and B


Preventing these bugs isn't black magic.  It isn't rocket surgery.
It's just a matter of getting business leaders to care about shipping
quality code.

tim

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ