Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Dailydave] "The organization I belong to doesn't have initals"(that evil dude in Heroes)
From: Rhys Kidd (rhyskiddgmail.com)
Date: Thu Nov 16 2006 - 06:19:29 CST
On 11/16/06, dangeer.org <dangeer.org> wrote:
> | I think the real point here is that the majority of people responsible
> | for security have a backwards mindset. Most security practitioners
> | still don't make the assumption that everything is vulnerable and
> | design around it. Of course IIS is vulnerable to an unpublished 0day.
> so, should one write apps with the assumption that
> will be running on compromised hosts?
Or maybe one should write apps with the assumption that their code will be
the REASON they are running on compromised hosts, so they drop root
priveleges as soon as possible, scan code with Coverity/smatch/flawfinder,
and utilise compiler-time protections where available (SafeSEH, /GS, ASLR
case-in-point: MS released their latest DCERPC/SMB patches this month, but
it doesn't mean they now turn around and say to customers that, "Oh, yeah
that's the last of them resolved, our products are now secure again".
Dailydave mailing list