PetCo.com Vulnerable to SQL Injection

  • quote:


    I'm not sure we can expect all software companies to adhere voluntarily to such high standards -- especially when doing so will cost them (in the short term at least). There needs to be a foil. I suppose that CERT/Bugtraq may fulfil this role (I'm not familiar with them beyond knowing of their existence and having read a bulletin or two).


    CERT is getting nailed by the white hat community. They are getting info on vulnerabilities and then are turning around and providing them to paying customers ahead of everyone else. CERT was supposed to be a clearinghouse where everyone was treated the same. They aren't doing that. That's why there have been a couple of security breaches in the last couple of months where individuals went and found information about vulnerabilities CERT was keeping close but not revealing to the general public.

    quote:


    Steve suggests letting the press handle disclosure -- fair enough, and pragmatic -- but why should someone be scared into handing over their discovery to a third party? If it's a technical issue, why does it have to be treated as a public relations issue, and will this really get the best fix?


    Well, look at all the bad press Microsoft got for the macro viruses, especially the Outlook ones. They added that additional feature because of a demand for more flexibility. So naturally there is going to be some gamesmanship back since so many people are looking for a cause to rail against.

    With that said, I think the vendor should be contacted first. They should in good faith keep the researcher informed that they are working on the issue. If they don't, then the researcher has a conscience problem. He or she knows there is a vulnerability. Someone else could find it. If the vendor isn't willing to act on the vulnerability, that means the vendor is willing to leave people exposed. If you stay quiet, you are party to that.

    quote:


    And, showing my hubris again, why *shouldn't* the finder get proper acknowledgment for their work?


    Microsoft now practices this, but for a while they didn't. For some, I guess, it's an image thing. You want it to look like your own people are good enough to find the issues before anyone else, thus you are the conquering hero. We know it's bunk, but...

    K. Brian Kelley

    http://www.truthsolutions.com/

    Author: Start to Finish Guide to SQL Server Performance Monitoring

    http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

    K. Brian Kelley
    @kbriankelley

  • Some great essays from Counterpane founder Bruce Schneier exist on their site (www.counterpane.com). Disclosure is a battle and I'm not sure how much time we should give vendors. They should get some, but there needs to be some watchdog to hold them to their responsibilities for fixing things. MS is fixing things so they can sell more software, not out of any great "responsibility" they feel.

    On credit card numbers, we're going through that here with out book project (more coming tomorrow). We have NO-None-Zero-Absoutely Not-No Way-No Chance-No How do we want credit card numbers on this site. We're looking for some third party, Paypal, Shareit, something to handle that part for us. We'd prefer a bank, but I'm not sure they want to work with cheapskates like us

    Steve Jones

    sjones@sqlservercentral.com

    http://www.sqlservercentral.com/columnists/sjones

    http://www.dkranch.net

  • My company works with many CMS vendors. The attitudes of two of them show up the stark contrasts between vendors.

    Vendor A

    • Denies that problems exist.
    • Deletes any unfavourable threads off the site i.e. memory leak found in 'X'
    • Acts aggressively if any points are raised.
    • Makes wild promises for their product but either doesn't back up the claim or the deliverable is so far in the future that humans evolve new organs.

    Vendor B

    • Publishes a full bug list of their product.
    • Actively invites customers to contribute.
    • Keeps the fix list and work-around list for the bugs up to date.
    • Keeps the marketing bs to believable proportions.
    • Doesn't appear to censor its extranet forum
    • [*]Makes a profit!!!!

    Both vendors have an excellent product. I would say that Vendor A has the edge in terms of the product. Vendor B's attitude is a developers dream but you wouldn't let a non-technical person i.e a CEO/finance director near their forum because all the CEO will see is bug, bug, bug.

    In short I think the defensive attitudes of software vendors are due to the marketing image of the product and who signs the cheques. Being open and honest isn't reassuring in the world of corporate politics.

Viewing 3 posts - 16 through 17 (of 17 total)

You must be logged in to reply to this topic. Login to reply