|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Penetration testing via shrinkware
John McDermott (jjm
jkintl.com)
Sun, 20 Sep 98 16:51:37
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Adam Shostack: "Re: Penetration testing via shrinkware"
- Previous message: Deepak Vaidya: "Re: [FW1] How many rules can exists in fw1 ?"
- In reply to: Jennifer Galvin: "RE: [FW1] How many rules can exists in fw1 ?"
- Next in thread: Paul D. Robertson: "Re: Penetration testing via shrinkware"
- Reply: Paul D. Robertson: "Re: Penetration testing via shrinkware"
- Reply: Marcus J. Ranum: "Re: Penetration testing via shrinkware"
- Reply: arjo: "encrypting modem"
- Reply: iCefoX: "Re: encrypting modem"
--- On Sat, 19 Sep 1998 23:26:59 -0400 (EDT) "Paul D. Robertson"
<probertsclark.net> wrote:
>
>HTTP is an open-ended protocol specification with some _limitless_ size
>specifications, I submit that it is beyond "difficult" to verify correct
>functionality of a layer 5 transport protocol. Testing just buffer
>overflows on limitless length objects would seem to be less than an ideal
>situation.
Absolutly.
> Proxies are much easier to verify than stateful filters under
No doubt about that.
>the same circumstances, but once again, the source code is probably going
>to give you a much higher level of assurance that oversized objects are
>correctly handled unless you don't go look at the souce to the library
>routines as well, in which case you can either do that, or accept a lower
>level of assurance by banging against the calls with a substantial set of
>test data.
>
I do not disagree with this. My real concern is that you have to know what
to look for. If the designers of the versions of the code which have
"security holes" had known what to look for, they would have (hopefully!)
done things correctly. My real concern is that the inspectors have to know
what to look for.
You are also making an assumption that I was not: that the tester has
access to the source code. I doubt if I could go to vendor "X" and tell
them that I want to verify the security of a firewall for my client and
could I have a peek at the source. Maybe if my client were big enough I
could, but for many of us that is not an option. Just out of curiousity
does ICSA look at the source for certification?
>Paul
--john
-----------------End of Original Message-----------------
-------------------------------------
Name: John McDermott
VOICE: 505/377-6293 FAX 505/377-6313
E-mail: John McDermott <jjmjkintl.com>
Writer and Computer Consultant
-------------------------------------
- Next message: Adam Shostack: "Re: Penetration testing via shrinkware"
- Previous message: Deepak Vaidya: "Re: [FW1] How many rules can exists in fw1 ?"
- In reply to: Jennifer Galvin: "RE: [FW1] How many rules can exists in fw1 ?"
- Next in thread: Paul D. Robertson: "Re: Penetration testing via shrinkware"
- Reply: Paul D. Robertson: "Re: Penetration testing via shrinkware"
- Reply: Marcus J. Ranum: "Re: Penetration testing via shrinkware"
- Reply: arjo: "encrypting modem"
- Reply: iCefoX: "Re: encrypting modem"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:47 CDT