That would be certainly a more accurate list of most of the important factors of qualification and not just limited to the program alone. Well said. -- Regards, Tim Greer [EMAIL PROTECTED] Server administration, security, programming, consulting.
----- Original Message ----- From: "Jay D. Dyson" <[EMAIL PROTECTED]> To: "Security-Basics List" <[EMAIL PROTECTED]> Sent: Thursday, July 03, 2003 4:13 PM Subject: Re: Ten least secure programs > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Thu, 3 Jul 2003, Tim Greer wrote: > > > How about the top 10 insecure programs, that are insecure when they are > > implemented properly, as well as set up and configured to illustrate how > > major vulnerabilities do or have existed in them due to the way the > > program is coded and functions in the manner in which is it intended. > > Is that not the very essence of determining if it's an insecure program > > and how major the exploit is? > > Since I'm just another contributor to the list (and not the one in > charge of said list), here's my $0.02 on the criteria for making the list: > > 1. Quantity of bugs which have a direct security impact. > (This rules out generic bug reports that have little > security impact unless executed during the Equinox of odd- > numbered years while standing on one's head and singing > Barry Manilow songs. [Okay, you get my drift.]) > > 2. Quality of vulnerabilities: > A. Remote root vulnerability > B. Local root vulnerability > C. Remote privilege escalation (not root) > D. Local privilege escalation (not root) > E. Disclosure of data vulnerability (including path > traversing) > F. Impact of above vulnerabilities on the Internet > and user community overall (e.g., is it worm-friendly? > does it spam up everyone's e-mail inboxes with more > copies of itself? does it provide a direct vector for > further attack against one's net.neighbors, et cetera) > > 3. General risk factors: > A. Is authentication data (or other potentially sensitive > data) transmitted in the clear? > B. Is the service readily susceptible to net.abuse? > C. If the product can be secured, would the average > user still be able to use it? (User pushback and > security circumvention _is_ an issue, folks.) > D. Is the encryption within the product weak? (Such > as in the case of the Wired Equivalency Protocol > [WEP] in wireless networking.) > > ...and so on. That list is a good start by which candidates can > at least begin to be measured. > > - -Jay > > ( ( _______ > )) )) .-"There's always time for a good cup of coffee"-. >====<--. > C|~~|C|~~| (>----- Jay D. Dyson -- [EMAIL PROTECTED] -----<) | = |-' > `--' `--' `Red meat isn't bad for you, fuzzy green meat is.' `------' > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.2 (TreacherOS) > Comment: See http://www.treachery.net/~jdyson/ for current keys. > > iD8DBQE/BLiiNlg1oZSC9mkRArgDAJ9ftec9iiqbAzFxq6nseA6us8/VwACeL32v > 6mgMgqY9TwBoBdJZ9tYPdxU= > =YRNp > -----END PGP SIGNATURE----- > > -------------------------------------------------------------------------- - > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! > The Gartner Group just put Neoteris in the top of its Magic Quadrant, > while InStat has confirmed Neoteris as the leader in marketshare. > > Find out why, and see how you can get plug-n-play secure remote access in > about an hour, with no client, server changes, or ongoing maintenance. > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > -------------------------------------------------------------------------- -- > --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
