Tim, Would you then consider proper implementation to be in accordance with the vendor's recommended guidelines and practices? As an example (based on one of the debated products here), if one selects the default installation for IIS (through 5.0), many vulnerabilities are left open. However, Microsoft has a very clear set of published guidelines for installing and configuring IIS. Part of those guidelines is hardening the server to properly secure the installation. Which installation would be considered "implemented properly" for your purposes?
If we assume installing an application such that it fulfills its primary function, in this case serving web content (ftp, smtp intentionally omitted for brevity), as the only criteria, the certainly IIS would be considered insecure. This assumption leaves us with a dilemma, do we classify a program as insecure simply because it can be configured insecurely if the application vendor's installation recommendations are not followed? Or would it be more appropriate to classify a proper implementation as an implementation that follows the vendor's guidelines and recommendations and *then* test for vulnerabilities? Charlie Tim Greer wrote: > How about the top 10 insecure programs, that are insecure when they are > implemented properly, as well as set up and configured to illustrate how > major vulnerabilities do or have existed in them due to the way the program > is coded and functions in the manner in which is it intended. Is that not > the very essence of determining if it's an insecure program and how major > the exploit is? > -- > Regards, > Tim Greer [EMAIL PROTECTED] > Server administration, security, programming, consulting. > > ----- Original Message ----- > From: "Brad Bemis" <[EMAIL PROTECTED]> > To: "Jay D. Dyson" <[EMAIL PROTECTED]>; "Security-Basics List" > <[EMAIL PROTECTED]> > Cc: "Nero, Nick" <[EMAIL PROTECTED]> > Sent: Thursday, July 03, 2003 11:31 AM > Subject: RE: Ten least secure programs > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > At this point, it sounds like what you really need to do is define the > criteria for "insecure" programs. Is it really just the number of bugs? I > think it might be more relevant to consider things like #, type, impact, > distribution base, etc. <snip> -- E-mail correspondence to and from this address may be subject to the North Carolina Public Records Law and may be disclosed to third parties by an authorized state official. -- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------