tag:blogger.com,1999:blog-13756280.post2320944993819702071..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: 8 reasons why website vulnerabilities are not fixedJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger27125tag:blogger.com,1999:blog-13756280.post-88937461337797760022010-09-30T05:11:00.886-07:002010-09-30T05:11:00.886-07:00And some time Develper just comment that line of c...And some time Develper just comment that line of code...lol.....which is having vulnerabiltiy....:)Preetinoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-10152877547650345052009-12-04T05:49:22.295-08:002009-12-04T05:49:22.295-08:00We are using SSL :)We are using SSL :)Marcinhttp://online.powerfuzzer.comnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-18594065717273300902009-05-21T13:48:17.372-07:002009-05-21T13:48:17.372-07:00My favorites (some of which have been posted):
- ...My favorites (some of which have been posted):<br /><br />- We've always done it like this before.<br /><br />- Our customer service reps don't validate with this much detail.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-90418074747667811432009-05-08T06:10:00.000-07:002009-05-08T06:10:00.000-07:0012) "Oh, our users are too dumb to be able to expl...12) "Oh, our users are too dumb to be able to exploit that, not to worry."shrdluhttp://layer8.itsecuritygeek.comnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-44238216858879164732009-05-08T05:54:00.000-07:002009-05-08T05:54:00.000-07:00"It's too hard." They never actually say that of c..."It's too hard." They never actually say that of course. But when you strip away all the commentary that's what it often boils down to. I've been ISSO/IASO/CISM with 3 letter gov't agencies. Last year found significant sql injection vulnerabilities in test environment for major gov finical application. Head of development org, knowing that I wouldn't be allowed to pen-test production system during grant season, out-right lies and asserts that vulnerability didn't exist in production, despite being the same code. However, that's the lie the OCIO wanted to hear. When I confronted parties on this I was told that we'd revisit the issue after 'busy' season.phatmanhttps://www.blogger.com/profile/00908819606689483666noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-39102211037252314312009-05-07T17:09:00.000-07:002009-05-07T17:09:00.000-07:00Wow, some of these are really good! Funny even! :)...Wow, some of these are really good! Funny even! :)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-18199695498672680952009-05-07T07:56:00.000-07:002009-05-07T07:56:00.000-07:009) App is written in PHP9) App is written in PHPAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-49791337337967481842009-05-06T13:44:00.000-07:002009-05-06T13:44:00.000-07:00#15...er I lost count)
The issue you have identif...#15...er I lost count)<br /><br />The issue you have identified is an application feature and not a vulnerability.<br /><br />There's nothing to fix crazy security man, why are you trying to make us non compliant!?Danielnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-64452167231860432092009-05-05T23:09:00.000-07:002009-05-05T23:09:00.000-07:00some more:
- No one asked us to change it for last...some more:<br />- No one asked us to change it for last 50 products we developed with same code, why you now!?<br />- No one will hack our product/site (its always others)!Niranjanhttp://outscribe.orgnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-70816792385004922252009-05-05T11:50:00.000-07:002009-05-05T11:50:00.000-07:00Risk is reduced by having a app firewall rule inst...Risk is reduced by having a app firewall rule instead of a code fix.Sachin Shettynoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-74665734645474547492009-05-05T11:22:00.000-07:002009-05-05T11:22:00.000-07:00wow:
McAfee: Enabling Malware Distribution and Fr...wow:<br /><br />McAfee: Enabling Malware Distribution and Fraud<br /><br />http://www.readwriteweb.com/archives/mcafee_enabling_malware_distribution_and_fraud.phpJason Remillardhttp://www.54f3.comnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-44398274089949240212009-05-05T06:53:00.000-07:002009-05-05T06:53:00.000-07:00One of my personal favs:
'Its always been done th...One of my personal favs:<br /><br />'Its always been done this way'Jasonnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-89067770377462370792009-05-05T05:11:00.000-07:002009-05-05T05:11:00.000-07:00Just finished a incident response for a breach at ...Just finished a incident response for a breach at a MAJOR cc processor. When when first arrived onsite we found 2 snort boxes running that no one knew how to log into or who stood them up. They were just there for PCI compliance. I have found that if someone is not paid to care, no one will.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-18436828775333547372009-05-04T14:31:00.000-07:002009-05-04T14:31:00.000-07:00"It's an important feature of the application" sai..."It's an important feature of the application" said the application manager.<br /><br />"A what? This is SQL injection. How can that be a design requirement?" asked I.<br /><br />"Well, it wasn't. But, you see, we don't have much of an API so some of our big partners have written screen scrapers and they use SQL injection to efficiently extract large amounts of data. If we fix your SQL injection thing, we'll break their business."Anonymoushttps://www.blogger.com/profile/02417830466892389615noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-63090381232656348382009-05-04T09:01:00.000-07:002009-05-04T09:01:00.000-07:00Another one:
there is no budget to fix the holesAnother one:<br />there is no budget to fix the holesErwin Geirnaerthttps://www.blogger.com/profile/06369526872794527942noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-53109378626436982812009-05-04T08:02:00.000-07:002009-05-04T08:02:00.000-07:00We don't disclose who our partner is, but it is a ...We don't disclose who our partner is, but it is a large vendor that we have licensing with.<br /><br /><br />JasonJasonhttp://www.54f3.comnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-52307105996757443612009-05-04T00:31:00.000-07:002009-05-04T00:31:00.000-07:00IT Managers loose kickbacks from Security Software...IT Managers loose kickbacks from Security Software providers if they patch every hole.webmasternoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-90764496008012780422009-05-03T12:51:00.000-07:002009-05-03T12:51:00.000-07:00@Jason, what scanner technology backs your service...@Jason, what scanner technology backs your service? Couldn't seen to find a reference on the website.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-65661810894379107522009-05-03T10:29:00.000-07:002009-05-03T10:29:00.000-07:00Nothing to add but comment on "Features are priori...Nothing to add but comment on "Features are prioritized ahead of security fixes."<br /><br />Sometimes this prioritization is done by the customer and not the application owner/fixer. "I want all these new features. Oh and fix those holes while you're at it too."dunsanynoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-34704737580359998692009-05-03T08:39:00.000-07:002009-05-03T08:39:00.000-07:00Jeremiah..
Perhaps you misunderstood.. I didn't ...Jeremiah..<br /><br />Perhaps you misunderstood.. I didn't say less, I said presentation counts, as does priority. Of course, we all shudder when we find *anything* exposed, but from a business perspective (large or small), there is only a certain amount of capacity for change.<br /><br />The same definately applied in my Identity Management customers. Of course we wanted to do everything, but we had to focus on the basics first, then move on from there.<br /><br />JasonJason Remillardhttp://www.54f3.comnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-42256248108141552982009-05-03T06:44:00.000-07:002009-05-03T06:44:00.000-07:00Vulnerabilities are misunderstood.Vulnerabilities are misunderstood.Jerry Mangiarelli, ASS.. :)noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-15832962750605316032009-05-03T00:18:00.000-07:002009-05-03T00:18:00.000-07:00Hi Jeremiah,
Just few days ago I was posting on ...Hi Jeremiah, <br /><br />Just few days ago I was posting on my blog (http://nileshkumar83.blogspot.com/2009/05/1-or-11-still-works.html) wondering what may be the reasons that people make blunder mistakes on major websites also.<br />I gave an example also that just entering 1 or 1=1 broke the authentication of a major Airlines' website!!! Blunder isn't it?<br />Today I got the answers on your post what might be the negligences behind these incidents.<br />I very much agree with you.<br /><br />Thanks,<br />NileshNilesh Kumarhttps://www.blogger.com/profile/00738280328252168832noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-83824355267156652902009-05-02T19:32:00.000-07:002009-05-02T19:32:00.000-07:00LOL Anurag, that's a good one! :)LOL Anurag, that's a good one! :)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-38771727841914765102009-05-02T15:21:00.000-07:002009-05-02T15:21:00.000-07:00they didn't know application existed :)they didn't know application existed :)Anurag Agarwalhttps://www.blogger.com/profile/00132226679618654350noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-26290307517832003582009-05-02T14:21:00.000-07:002009-05-02T14:21:00.000-07:0011) Organization ignored AppSec Consulting Service...11) Organization ignored AppSec Consulting Service's industry best practice recommendation and tried to fix it their own way.Anonymousnoreply@blogger.com