|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] "The organization I belong to doesn't have initals"(that evil dude in Heroes)
From: Rhys Kidd (rhyskidd
gmail.com)
Date: Thu Nov 16 2006 - 06:19:29 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 11/16/06, dangeer.org <dangeer.org> wrote:
>
>
> | I think the real point here is that the majority of people responsible
> | for security have a backwards mindset. Most security practitioners
> | still don't make the assumption that everything is vulnerable and
> | design around it. Of course IIS is vulnerable to an unpublished 0day.
>
>
> so, should one write apps with the assumption that
> will be running on compromised hosts?
>
> --dan
Or maybe one should write apps with the assumption that their code will be
the REASON they are running on compromised hosts, so they drop root
priveleges as soon as possible, scan code with Coverity/smatch/flawfinder,
and utilise compiler-time protections where available (SafeSEH, /GS, ASLR
bit).
case-in-point: MS released their latest DCERPC/SMB patches this month, but
it doesn't mean they now turn around and say to customers that, "Oh, yeah
that's the last of them resolved, our products are now secure again".
- Rhys
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]