Comments for AppSec Street Fighter - SANS Institute

Comment on The Day the World Will End by Ron

Ron — Fri, 30 Oct 2009 15:20:24 +0000

How about Feb 9, 2013? That’s the projected day we run out of IPv4 addresses. Heavens!

Comment on The Day the World Will End by Brisa

Brisa — Fri, 30 Oct 2009 14:23:45 +0000

Do you realize than “Binary Armageddon Day” varies with the culture?

Comment on The Day the World Will End by Ian Mitchell

Ian Mitchell — Thu, 29 Oct 2009 21:46:23 +0000

http://www.sysmod.com/y2kxbase.htm

Dec 31, 2049 23:59:59 for you old Clipper 5.x guru’s out there. But the site above shows how to put a sliding epoch in place that can let your legacy live on for a few more years.

Comment on The Day the World Will End by Joel

Joel — Thu, 29 Oct 2009 21:37:29 +0000

One interesting thing to note: Mayans (quite sensibly) used modular arithmetic in their system of time.

Talking about the end of their calendar is like talking about the end of a crystal lattice. It draws upon concepts that are outside the reference frame of the question; it is complete nonsense.

Incidentally, one way of fixing the ntp and Unix epoch problems listed in a relatively permanent way, would be to craft a computer standard using a cyclic definition of time similar to the Mayan one (or most other traditional societies…), acknowledging that things naturally cycle back to zero eventually. A negative 38 year, 15 day mortgage would (if we kept the basis the same) accrue the same interest as a 30 year mortgage, because in such a system, that is the same interval of time.

Comment on The Day the World Will End by Steve Seideman

Steve Seideman — Thu, 29 Oct 2009 17:50:40 +0000

Hoffman labs has several Doomsdates for OpenVMS – http://labs.hoffmanlabs.com/node/818. Of particular note: 7-Feb-2106 06:28:15 GMT (unsigned overflow) for UNIX end of Epoch and 31-Jul-31086 02:48:05.47 GMT (we got some time on this one too) for OpenVMS end of Epoch

Comment on Adoption of X-FRAME-OPTIONS header by thorin

thorin — Thu, 22 Oct 2009 19:04:41 +0000

It’s an interesting idea but just like anything else client side the element can still be blocked/filtered prior to arrival at the browser therefore rendering inclusion of this tag useless (since you can block it, filter it or strip it out).

Comment on Adoption of X-FRAME-OPTIONS header by Jeff Williams

Jeff Williams — Thu, 15 Oct 2009 12:49:53 +0000

I released a JavaEE filter for X-FRAME-OPTION back in Feb 2009. Very easy to use but haven’t heard of anyone using it. http://www.owasp.org/index.php/ClickjackFilter_for_Java_EE

Comment on Response: Pentesting Coverage. by John O

John O — Mon, 05 Oct 2009 19:29:06 +0000

Great Post! I have been on this Vuln Assessment vs. Pen Test soap box for a while now. I also think there are couple of other values of a Pen Test, prior to a getting to a mature InfoSec program.

1. Using it as a “shocking” display to stakeholders who may not understand the real world impact of vulnerabilities on their organization. By “showing” them with a Pen test (and in a positive way, you don’t want to beat them over the head with the results) you can start to gather buy-in for your overall InfoSec program.

2. To test IDS/Incident Response procedures. When you have tools designed to detect the bad guys getting in and respond to that event, a test goes a long way in understanding where the weaknesses lie in your detection/response plans.

Thanks for the post.

Comment on Session Attacks and ASP.NET – Part 2 by ds r4

ds r4 — Sat, 03 Oct 2009 05:21:18 +0000

Thanx for the information. You have written that SSL can be created through program. I would appreciate if you could provide a way to do it through C#. Please provide more information over it. provide links to related topics if possible.

Comment on Pentesting: Do you need “coverage” ? by CG

CG — Fri, 02 Oct 2009 01:55:01 +0000

you’ve done an excellent job describing a few issues.

First is that developers are not pentesters and usually shouldn’t be. mostly because they look as the problem as an problem with a single application and not how all those issues fit together as its related to your network security posture and for protection of your critical assets/data/or IP.

Second, you’ve described perfectly what should go on during a vulnerability assessment and application (source) review and not a pentest.

we need to get away from “pentests” that attempt to find every possible vulnerability, those are vulnerability assessments or if you want to justify your existence vulnerability assessments with exploitation or vulnerability assessment with source code audit and not pentests.

Its time for a pentest when you’ve done all the things you mentioned in your posts and you think your app is good to go & no one can break it or into it. Or more importantly you think you can catch the attacker once he’s in your network and one 0day doesnt ruin your whole day.

Your find every vulnerability pentest can be / should be/ and rapidly is being replaced by a monkey with a scanner or an appliance in a rack.

see chris nickerson for the rest of the rant…