Firewall Wizards: RE: Application-level Attacks

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Firewall Wizards mailing list archives

RE: Application-level Attacks

From: "Ofer Shezaf" <Ofer.Shezaf () breach com>
Date: Tue, 15 Feb 2005 04:29:16 -0500


On Friday, February 14, Marcus J. Ranum wrote:

The article you reference is a thinly-veiled puff piece for
"application security gateways" (read: marketing's new
word for proxy firewalls)


I selected the article randomly, Pescatore's quote can be found all over
the web.

The reason I jumped on your post is because I strongly
believe that in order for computer security to grow up and
stop being an intellectual backwater - we need to apply a
little science and attempt to accurately quantify what we
are doing. That means no more analysts practicing
proctological numerology, no more self-selected samples
used in polls, no more proof by vigorous hand-waving.


Applying science to the issue is a real problem since organizations
don't publish such incidents. As a result there is a bias in the
security community mindset towards large scale attacks such as worms
that are difficult to hide and get all the publicity, but may actually
cause much less damage than a targeted attack.

We hardly ever hear about a successful SQL injection attack in which
sensitive information was stolen or fraudulent transaction was
committed, but we here a lot about worms that mainly cause site down
time. On the other hand my personal experience as well as the experience
of others shows that in far too many penetration tests we find
vulnerabilities such as SQL injection.

One interesting paper which tries to measure the internet security
status based on results of penetration tests is "How safe is it out
there?"
http://www.imperva.com/application_defense_center/papers/how_safe_is_it.
html

Most attempts I've seen to quantify the threat where based on user
surveys and where very far from technology.

Ofer Shezaf
CTO, Breach Security

Tel: +972.9.956.0036 ext.212
Cell: +972.54.443.1119
ofers () breach com
http://www.breach.com 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

By Date By Thread

Current thread:

RE: Application-level Attacks, (continued)
- RE: Application-level Attacks Ofer Shezaf (Feb 14)
  - RE: Application-level Attacks Marcus J. Ranum (Feb 14)
    - RE: Application-level Attacks R. DuFresne (Feb 19)
    - Re: Application-level Attacks Anthony de Boer (Feb 22)
- RE: Application-level Attacks Ofer Shezaf (Feb 19)
  - RE: Application-level Attacks Marcus J. Ranum (Feb 22)