Tim,
Would you then consider proper implementation to be in accordance with the
vendor's recommended guidelines and practices?
As an example (based on one of the debated products here), if one selects the
default installation for IIS (through 5.0), many vulnerabilities are left open.
However, Microsoft has a very clear set of published guidelines for installing
and configuring IIS.
Part of those guidelines is hardening the server to properly secure the
installation.
Which installation would be considered "implemented properly" for your purposes?
If we assume installing an application such that it fulfills its primary
function, in this case serving web content (ftp, smtp intentionally omitted for
brevity), as the only criteria, the certainly IIS would be considered insecure.
This assumption leaves us with a dilemma, do we classify a program as insecure
simply because it can be configured insecurely if the application vendor's
installation recommendations are not followed? Or would it be more appropriate
to classify a proper implementation as an implementation that follows the
vendor's guidelines and recommendations and *then* test for vulnerabilities?
Charlie
Tim Greer wrote:
> How about the top 10 insecure programs, that are insecure when they are
> implemented properly, as well as set up and configured to illustrate how
> major vulnerabilities do or have existed in them due to the way the program
> is coded and functions in the manner in which is it intended. Is that not
> the very essence of determining if it's an insecure program and how major
> the exploit is?
> --
> Regards,
> Tim Greer [EMAIL PROTECTED]
> Server administration, security, programming, consulting.
>
> ----- Original Message -----
> From: "Brad Bemis" <[EMAIL PROTECTED]>
> To: "Jay D. Dyson" <[EMAIL PROTECTED]>; "Security-Basics List"
> <[EMAIL PROTECTED]>
> Cc: "Nero, Nick" <[EMAIL PROTECTED]>
> Sent: Thursday, July 03, 2003 11:31 AM
> Subject: RE: Ten least secure programs
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> At this point, it sounds like what you really need to do is define the
> criteria for "insecure" programs. Is it really just the number of bugs? I
> think it might be more relevant to consider things like #, type, impact,
> distribution base, etc.
<snip>
--
E-mail correspondence to and from this address may be subject to the North
Carolina Public Records Law and may be disclosed to third parties by an
authorized state official.
--
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
