Patching IIS (was - RE: ASP security in HTML pages)

From: Wolf, Yonah (Yonah.Wolf_at_ujc.org)
Date: 06/28/04

Next message: Andrew Shore: "RE: locking down snort"

Previous message: Michael Carroll: "RE: Which Windows OS is Safest"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 28 Jun 2004 14:25:41 -0400
To: <security-basics@securityfocus.com>, <webappsec@securityfocus.com>

All,

I seems that a lot of these responses are pointing out age-old flaws in ASP - stuff that was around 3-4 years ago. If someone were to properly configure and/or patch their server (say, by running the IIS lockdown tool) they would not be exposed to these vulnerabilities. In light of that I just wanted to point out several things:

- It's not the holes you close, but the ones you need to keep open that you need to worry about (hence the need for web app security)

- I understand if someone gets taken by a new flaw when it first comes out, but it is a sorry state of affairs when ASP flaws from 3 years ago are still being exploited - I just can't understand why well-known security patches aren't being applied!?!?

- Steps to protect your source code, especially if that code is contained in scripts, is like the false security of a life preserver in shark-infested waters - it will help you, but to a point.

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Next message: Andrew Shore: "RE: locking down snort"

Previous message: Michael Carroll: "RE: Which Windows OS is Safest"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: *warning* student question
... Read up on what offsets of the packets represents what flags, ... > We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion ... All of our class sizes are guaranteed to be 10 students or less. ...
(Security-Basics)
Re: Securing SSH
... register a hostname that points to your IP, and if the ISP changes your ... All of our class sizes are guaranteed to be 10 students or less. ... >We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, ...
(Security-Basics)
IDS Systems (NFR vs ISS)
... Ethical Hacking at the InfoSec Institute. ... All of our class sizes are guaranteed to be 10 students or less ... to facilitate one-on-one interaction with one of our expert instructors. ...
(Security-Basics)
Need help on Spyware
... Ethical Hacking at the InfoSec Institute. ... All of our class sizes are guaranteed to be 10 students or less ... to facilitate one-on-one interaction with one of our expert instructors. ...
(Security-Basics)
Network Card Promiscuous Mode
... Ethical Hacking at the InfoSec Institute. ... All of our class sizes are guaranteed to be 10 students or less ... to facilitate one-on-one interaction with one of our expert instructors. ...
(Security-Basics)