RE: [fw-wiz] Application-level Attacks
From: Ofer Shezaf (Ofer.Shezaf_at_breach.com)
Date: 02/15/05
- Previous message: Carson Gaspar: "Re: [fw-wiz] i-cap proposals"
- Maybe in reply to: Ofer Shezaf: "RE: [fw-wiz] Application-level Attacks"
- Next in thread: Marcus J. Ranum: "RE: [fw-wiz] Application-level Attacks"
- Reply: Marcus J. Ranum: "RE: [fw-wiz] Application-level Attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Marcus J. Ranum" <mjr@ranum.com>, <firewall-wizards@honor.icsalabs.com> Date: Tue, 15 Feb 2005 04:29:16 -0500
On Friday, February 14, Marcus J. Ranum wrote:
> The article you reference is a thinly-veiled puff piece for
> "application security gateways" (read: marketing's new
> word for proxy firewalls)
I selected the article randomly, Pescatore's quote can be found all over
the web.
> The reason I jumped on your post is because I strongly
> believe that in order for computer security to grow up and
> stop being an intellectual backwater - we need to apply a
> little science and attempt to accurately quantify what we
> are doing. That means no more analysts practicing
> proctological numerology, no more self-selected samples
> used in polls, no more proof by vigorous hand-waving.
Applying science to the issue is a real problem since organizations
don't publish such incidents. As a result there is a bias in the
security community mindset towards large scale attacks such as worms
that are difficult to hide and get all the publicity, but may actually
cause much less damage than a targeted attack.
We hardly ever hear about a successful SQL injection attack in which
sensitive information was stolen or fraudulent transaction was
committed, but we here a lot about worms that mainly cause site down
time. On the other hand my personal experience as well as the experience
of others shows that in far too many penetration tests we find
vulnerabilities such as SQL injection.
One interesting paper which tries to measure the internet security
status based on results of penetration tests is "How safe is it out
there?"
http://www.imperva.com/application_defense_center/papers/how_safe_is_it.
html
Most attempts I've seen to quantify the threat where based on user
surveys and where very far from technology.
Ofer Shezaf
CTO, Breach Security
Tel: +972.9.956.0036 ext.212
Cell: +972.54.443.1119
ofers@breach.com
http://www.breach.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Carson Gaspar: "Re: [fw-wiz] i-cap proposals"
- Maybe in reply to: Ofer Shezaf: "RE: [fw-wiz] Application-level Attacks"
- Next in thread: Marcus J. Ranum: "RE: [fw-wiz] Application-level Attacks"
- Reply: Marcus J. Ranum: "RE: [fw-wiz] Application-level Attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
