How about the top 10 insecure programs, that are insecure when they are implemented properly, as well as set up and configured to illustrate how major vulnerabilities do or have existed in them due to the way the program is coded and functions in the manner in which is it intended. Is that not the very essence of determining if it's an insecure program and how major the exploit is? -- Regards, Tim Greer [EMAIL PROTECTED] Server administration, security, programming, consulting.
----- Original Message ----- From: "Brad Bemis" <[EMAIL PROTECTED]> To: "Jay D. Dyson" <[EMAIL PROTECTED]>; "Security-Basics List" <[EMAIL PROTECTED]> Cc: "Nero, Nick" <[EMAIL PROTECTED]> Sent: Thursday, July 03, 2003 11:31 AM Subject: RE: Ten least secure programs -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At this point, it sounds like what you really need to do is define the criteria for "insecure" programs. Is it really just the number of bugs? I think it might be more relevant to consider things like #, type, impact, distribution base, etc. It really all depends on how 'accurate' you want your list to be, but if you establish a criteria and a generic series of measurements, you could bounce each recommendation for the list against the metrics to determine an application's placement on the list. Lastly, I think that it is relatively unproductive to identify the top 10 most 'insecure' programs. It is not the program itself that is necessarily insecure, but how the program is implemented. You can say that IIS is one of the most insecure applications on the market, but it isn't really true! If you apply the proper controls, IIS can be made into a very effective, very secure platform. Again, a criteria for defining 'insecure' applications would probably help significantly. - - Brad Bemis -----BEGIN PGP SIGNATURE----- Comment: KeyID: 0xB8F26ADD Comment: Fingerprint: 6E1C D617 CD65 A203 7FD5 4C68 90E7 39F4 B8F2 6ADD iQA/AwUBPwR2apDnOfS48mrdEQK9QACg9ieMCuL1oL7M36fjtCqakKDfeZAAoP4H PULsnMi888pju3xClkb7cakb =kmSL -----END PGP SIGNATURE----- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
