Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Dailydave: Gold Builds

Gold Builds

From: Dave Aitel <dave_at_immunitysec.com>
Date: Sat, 29 Nov 2003 15:31:08 -0500

This dilbert is security-industry aware!
http://www.comics.com/comics/dilbert/archive/images/dilbert2003111108929.gif

Everyone should go check out this paper on Windows RPC internals from
Jean-Baptiste, who continues to do excellent work:
http://www.hsc.fr/ressources/articles/win_net_srv/
Here's a presentation as well
http://www.hsc.fr/ressources/presentations/hivercon03/

___

There are a lot of consulting companies on this list. I'm wondering if
you guys have the same opinions on this sort of thing:

One of the things that Immunity often does is a "host assessment."
Usually this means that a large company has put together their mail
server or has a "Gold Build" that they are going to base their mail
server on, and they want to give it one last check before it goes live.
Usually, as in the case yesterday, I use tcpview or lsof, go down the
list of open ports, and anywhere there is a third party application or
custom-built application, find one remote hole. My favorate thing to do
lately is to use Ollydbg and starting at recv(), reverse engineer the
proprietary protocols until I find something fun. Sometimes you find two
something funs. But you usually find SOMETHING on anything that's not
part of the base OS. Backup programs, management utilities, third party
ActiveX plugins to web servers, XML conversion programs, etc. All that
stuff is buggy as hell.

Now, with bobsbagoffish.com, that's fine. What's a small or medium sized
company going to do except use off-the-shelf parts? They just want to
know how bad off they are. But with a larger client, the end goal should
be, I think, to get the client to change their process to force their
vendors to have third-party reviews of their components before they get
included in Gold Builds. Otherwise you may have built your entire system
on a vendor's products, before realizing they are completely impossible
to secure. I think it's a compelling thing to say "Listen, we'd love to
include your product in our Base Build, perhaps get a site license? But
before we do, we need to see a stamp of approval from one of these four
companies." Likewise, when deploying a giant web application, it often
makes sense to QA the third-party components of it before you QA your
entire finished product. In this case I also think a "stamp of approval"
is a good thing, since you can have your vendors get one while you're in
your planning process, which gives them time to fix their bugs by the
time you go live.

I guess, I'm still of the belief that what security consulting companies
do is QA, but I think if you HAVE the pull to make your vendors do their
own QA, rather than doing it for them, it's nice to push that cost (and
the "risk", as an economist would say) back onto them.

Dave Aitel
Immunity, Inc.

_______________________________________________
Dailydave mailing list
Dailydave_at_lists.immunitysec.com
http://www.immunitysec.com/mailman/listinfo/dailydave
Received on Nov 29 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos