Re: OpenSSL Hacks



David Wagner wrote:
Douglas A. Gwyn wrote:
For example: unchecked whether malloc succeeds, and no
suitable exception scheme to handle it even if it were checked.
Why on earth *would* I explain such basic stuff to developers?
That's a vulnerability? Sorry, I don't see it.
A minor bug, sure. A potential reliability issue, quite possibly.
At worst, it might be a denial-of-service issue, depending on details
which are not in evidence here.

Actually at worst it might result in arbitrary code substitution,
just as with buffer overrun vulnerabilities. Details depend on
the specific platform.

*Any* incorrect implementation of function in a subcomponent of
a security protocol is worrisome and potentially harmful (to
the purposes of the protocol).

It wasn't my purpose to develop specific exploitations. Such
code problems are a sign that no adequate review (security or
otherwise) has been done; trusting the security adequacy of the
product under such circumstances would be folly.

If you're going to rely on certification, the certification
should mean something (and furthermore should mean what you
require for your purposes).
.



Relevant Pages

  • Risks Digest 24.59
    ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... Workshop on Web Security, ... FDA - MedWatch - Medical Device Safety - Change in Daylight ... Subject: REVIEW: "FISMA Certification and Accreditation Handbook", ...
    (comp.risks)
  • RE: CISSP-ISSMP
    ... the materials and touched the technology. ... trough a certification process and get certified. ... I am proud to be a certified security professional:) ... Certs are sort of new to the scene. ...
    (Pen-Test)
  • RE: CISSP-ISSMP
    ... management say "that's nice", and move on. ... education, certification, experience, know-how, abilities, and ... Many 'security jobs' are nothing shy than that of an overly glorified ... Download FREE whitepaper on how a managed service ...
    (Pen-Test)
  • [Full-Disclosure] RE: Full-Disclosure digest, Vol 1 #649 - 5 msgs
    ... Firewall disablers ... Send Full-Disclosure mailing list submissions to ... RE: Security Certifications ... Security Certification Consortium has developed and released a potentially destructive trojan application, which masquerades as a valid standard for professional certification in the field of information security. ...
    (Full-Disclosure)
  • Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer
    ... and you meet with the technical lead of the group, this certification ... don't have any security certs or experience in the area. ... Download FREE whitepaper on how a managed service ... Download FREE whitepaper on how a managed service can ...
    (Pen-Test)