[Dailydave] "The organization I belong to doesn't have initals"(that evil dude in Heroes)
Rhys Kidd
rhyskidd at gmail.com
Thu Nov 16 12:19:29 Local tim 2006
On 11/16/06, dan at geer.org <dan at geer.org> wrote:
>
>
> | I think the real point here is that the majority of people responsible
> | for security have a backwards mindset. Most security practitioners
> | still don't make the assumption that everything is vulnerable and
> | design around it. Of course IIS is vulnerable to an unpublished 0day.
>
>
> so, should one write apps with the assumption that
> will be running on compromised hosts?
>
> --dan
Or maybe one should write apps with the assumption that their code will be
the REASON they are running on compromised hosts, so they drop root
priveleges as soon as possible, scan code with Coverity/smatch/flawfinder,
and utilise compiler-time protections where available (SafeSEH, /GS, ASLR
bit).
case-in-point: MS released their latest DCERPC/SMB patches this month, but
it doesn't mean they now turn around and say to customers that, "Oh, yeah
that's the last of them resolved, our products are now secure again".
- Rhys
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20061116/ff166f8b/attachment.html
More information about the Dailydave
mailing list