On Jul 10, 2006, at 11:50 AM, Bob Beck wrote:

> Yes, but what are you hoping to prove with those numbers. I think all
> you're demonstrating is what things get more attention, likely due to
> their popularity, so they make a more interesting target. I.E. just
> because you don't find hardly any vulnerabilities for web apps
> deployed using ANFC (ANFC == AIX, NetCat, Flat Files, and C (please
> sir can I have another..)[1]) doens't mean those that are aren't rife
> with them.

Exactly.

I have seen far too many Perl/PHP/ASP/ASP.NET/whatever apps that
can't figure out how to do really simple stuff like quote special
characters before passing things to a database (or, better yet, using
stored procedures and your web language's built in parameterized SQL
exec functions - but that'll start a different religious war).

If you are defending against the next Internet Worm, then these
numbers may matter. But if you are defending against data being
compromised, the architecture of your system is much more important.

In fact, I've pretty much reduced website auditing to a single
question (yes, it really is more complicated than this, but most
sites fail on just this one, regardless of platform):

True/False: Someone who becomes an administrator on your public-
facing web server can read all the data in your database?

If you answer "true" then you've already failed. Regardless of Linux
or Windows usage. Does it matter if you have less bugs if it only
takes one bug to compromise your entire architecture?

> [1] Yes, I have seen an ANFC used for real [2]
> [2] Yes, it had a hole.

I've seen very few custom web apps that *don't* have a hole.

[ reply ]