mailing list archives
Re: Fwd: Rate Stratfor's Incident Response
From: Valdis.Kletnieks () vt edu
Date: Wed, 11 Jan 2012 09:44:37 -0500
On Wed, 11 Jan 2012 01:33:18 CST, Laurelai said:
If you guys cant scan for basic sql injection and these kids can then
theres a real problem, thats my point here.
That may or may not be true. Doesn't mean you have the right solution.
Also, you seem to keeo forgetting that this is an asymmetric problem.
The security guy has to scan *every single* entry point of *every single* app
for an SQL injection, which could take a while for a large company. They are usually
limited in how much time they have (two to four weeks, usually). And then scan
for *every other* thing on the OWASP Top 10.
One script kiddie gets lucky and finds one hole, they get their name in the news.
As the ancient proverb says "Set a thief to catch a thief"
The fact it's a proverb doesn't make it correct or useful in today's world.
Maybe in 1665 it was the best way to do it. I'd certainly hope that today with
modern techniques like fingerprints and DNA and surveillance cameras, a
detective is better at chatching thieves than another thief would be.
Remember - the fact the guy knows how to pick a 5-tumbler lock doesn't mean he
knows how to lift the prints off said lock after somebody else did it.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/