Re: [Full-disclosure] Absolute Sownage (A concise history of recent Sony hacks)



On Sat, 11 Jun 2011 01:36:54 BST, mrx said:
I did the top 10 and hopefully with my limited experience and knowledge in
this field have covered them all.

If you did proper checks for the Top 10 (single biggest issue for most of them
is remembering to filter *in* valid input, not filter out invalid), and went
through your code while thinking to yourself "What would Satan himself put in
this field just to make my life miserable?", your code is (unfortunately)
probably better than 80-90% of what's out there in production.

Even if you don't always succeed at guessing what Satan would put in the field,
even all the obvious stuff (too long, too short, unexpected UTF-8, upside-down,
whatever) will go a *long* way towards hardening the code. And quite frankly,
that may be good enough - if you eliminate 95% of the holes, it may be
*effectively* secure, simply because it isn't worth the attacker's time to
fight for the other 5% (of course, this also depends on you being "just another
one of 140 million .coms", where you don't have to outrun the bear, just the
other hiker - if this is highly visible code, of course a higher level of
security will be needed...)

Oh, and remember that security is trade-offs - spending $10K to fix that last
mostly-theoretical hole that will lose you maybe $100 if exploited is simply
not worth it. You'll have to assess that cost/value thing based on the actual
app and data, of course...

Attachment: pgpAEZ4JQEgUt.pgp
Description: PGP signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: [Full-disclosure] Getting Off the Patch
    ... Okay, so there's like 40 odd rather long responses to this discussion, can ... security analysts write checks that operations and management has to cash.. ... had to do was to install the patch. ... For what my position is worth, I totally support you and your research ...
    (Full-Disclosure)
  • Re: how can I test the security of my Linux box ?
    ... Very few ppl are interested in going to jail for helping someone ... Just as BIND - use djbDNS instead of BIND. ... > SATAN is also another program to try on to test your security. ... Satan is quite old - Nessus will be much better nowadays. ...
    (comp.os.linux.security)
  • Re: Garmin streetpilot: Carry on or checked in luggage?
    ... but they've never been given a second glance by security. ... Wouldn't be worth much ... > if he's planning to make enough money off such thefts to ... I don't put anything of value in checked baggage. ...
    (sci.geo.satellite-nav)
  • GUIs - - Stopping the Intruder from within Narrative
    ... compromise of software and data are obvious concerns. ... Something that's worth discussing is the ease with which security ... portals or GUI interfaces can be compromised. ...
    (comp.security.misc)
  • Re: mounting a safe
    ... it's worth the trouble they've going to contract-out someone who can get ... past whatever security most of us can afford. ... point where whatever it is you have inside is not worth the time of someone ...
    (alt.home.repair)