Re: How secure is software X?

Fabian Becker <neonomicus@xxxxxx> wrote on 05/12/2006 03:12:32 PM:

Dear David
in my opinion a software can either be secure or not secure.
I think it's a bit like a woman cannot be "a bit pregnant".
But the protocol you are talking about can be used to tell the secure
from the insecure pieces of software. By applying a test for these rules
against systems, security will definitely be enhanced since software
brandmarked with "insecure" will simply loose it's value.
Another question is how to verify that authors check their own software?
If they do not do it by now, why then? The only reason I could imagine
would be a raise in value by beeing able to say "My software is a tested
'secure' one".

Hello Fabian,
Respectfully, to classify security like that would be to condemn every
software as "insecure". What I see David proposing is more akin to "how
far along in her pregnancy". It is a measurement. Hopefully we can all
agree that with large applications (eg. Oracle, WebSphere, Windows,
etc...) there are bugs. While the desired direction may be 100% security
(much like the desired personal goal is perfection), we need to be able to
qualify how difficult it is to break applications in a standardized

The one caveat I might bring up is the topic of false security.
It is difficult to prove, in a standardized methodology, that an
application is difficult to break; only that our methodology has failed
to do so. How in-depth a fuzzing to we apply for this standard? Does the
standard include significant levels of reverse engineering? If so, who
does this (since some are more proficient than others)? If not, what true
value does this standard prove, except that the application can withstand
yet another script?

In concept, I agree wholeheartedly that a security qualification could be
beneficial. And perhaps, with all the brainpower involved, an relatively
reliable automated method could be achieved. There are many details which
would need to be sorted out. Some applications are more easily fuzzed
than others... For example, SMTP servers have a pretty standard interface,
they have to. Database servers do not, although they do have underlying
language similarities. Web app servers, such as WebSphere and Oracle app
server, may have commonalities, but have such a breadth of testing
required to give any comprehensive qualification, to do so seems rather

In my own little portable mind, such a standard would require an
infrastructure of standards, with each "class" of application being
represented and handled separately.

One alternative proposition would be to provide a difficulty rating for
the security researchers to apply to their vulnerability reports/analysis.
Simply an appendage to our normal bugtraq traffic. Let the researchers
grade the difficulty. Perhaps this would be problematic as well, since it
would take me far longer to find a vuln in Oracle than it would for
someone like David. But it would be a start.


Relevant Pages

  • Re: [fw-wiz] I wonder, how to test..
    ... >responsible for security at our company, ... >of my head make me wonder how secure it all is. ... Internally locking down the servers: ... administrator's privileges if he managed to execute code with webserver ...
  • Re: Anyone hear of ANSA (Asp.Net Security Analyser)??
    ... you if your servers that provide Asp.Net shared hosting ... ANSA (Asp.Net Security Analyser) is not a commercial ... results will tell us if your servers are secure or not. ...
  • RE: Certification for Win2k Web Servers
    ... SANS institute has a Windows 2000 "Gold Standard", ... collection of the industry best practices for Windows 2000 server security. ... the audit results from the single third party auditor. ... Certification for Win2k Web Servers ...
  • Re: [Full-disclosure] EE BrightBox router hacked - bares all if you ask nicely
    ... of my developers to use security best practises as they develop. ... be sure work is completed to a professional standard. ... you it all comes down to costs and who is going to pay. ... having a secure device/service/whatever brings in expenses. ...
  • Re: How to access I/O port directly in VC6.0?
    ... several multinationals, worked with the research division in one case, and ... Their "security" as far as servers was a joke; ... servers, which WERE secure, including VPN access, but the corporate ...