|
Firewall Wizards
mailing list archives
Re: Q on external router
From: Adam Shostack <adam () homeport org>
Date: Sun, 26 Apr 1998 03:15:37 -0400 (EDT)
tqbf () secnet com wrote:
| I submit that it is likely that we will find bugs in switches, because
| switches are performance-enhancing devices that are not (AFAIK) designed
| with security as a priority. I submit it is unlikely that we will find a
| bug (easily) in any given application gateway firewall.
I refer you to the encrypting srvio.c that was the export
controlled part of the FWTK for three years before a replay attack was
corrected.
The amount of real review of source thats done is pathetically
low. Doing internal code reviews pays for itself very quickly by
finding problems that are not found by other parts of the testing
process. Where I did my first review work, we routinely found, and
prevented deployment of security bugs, any one of which would have
cost more in staff time to clean up than all the reviews we ever did.
I won't get into the cost of bad publicity for the company.
Its been very clear to me when I've done reviews as a
contractor that some of the code has never been seen by anyone other
than the author. This was for a well known and respected security
company.
Adam
--
Just be thankful that Microsoft does not manufacture pharmaceuticals.
 By Date 
By Thread
Current thread:
Re: Q on external router Bennett Todd (Apr 22)
Re: Q on external router Adam Shostack (Apr 22)
Re: Q on external router Randy Witlicki (Apr 23)
Re: Q on external router Eric Vyncke (Apr 23)
|
Intro
