Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: David Hawley (chimanhawaiian.net)
Date: Wed Apr 10 2002 - 00:46:50 CDT
Well Kai, they do all of the above.
Some companies hire an independant Audit team to audit software. Some read
bugtraq, incidents, and others wait until they get hacked. :-)
From: kaipower [mailto:kaipowersubdimension.com]
Sent: Thursday, April 04, 2002 5:05 PM
To: security-basicssecurityfocus.com; vuln-devsecurity-focus.com;
Subject: Techniques for Vulneability discovery
After reading the mailing list for quite a while, there is a burning
question which I kept asking myself:
How do experts discover vulnerabilities in a system/software?
Some categories of vulnerabilities that I am aware of:
1) Buffer overflow (Stack or Heap)
2) Mal access control and Trust management
3) Cross site scripting
4) Unexpected input - e.g. SQL injection?
5) Race conditions
6) password authentication
Do people just run scripts to brute force to find vulnerabilities? (as in
the case of Buffer overflows)
Or do they do a reverse engineer of the software?
How relevant is reverse engineering in this context?
Anybody out there care to give a methodology/strategy in finding
Do You Yahoo!?
Get your free yahoo.com address at http://mail.yahoo.com