Listers, Sounds to me like you guys need to set a "Birds of a Feather" session about hardening the MidTier for use on the public Internet at WWRUG12 next week, huh? WWRUG12 has more than a hundred sessions this year, and some of them will touch on security issues, but what better way to bring together all of this expertise and interest?
Of course, this would be the very first time that a bunch of experts, interested parties, customers, software designers and engineers changed the world with a couple of beers! We'll buy the first round :-). Second one too if it helps. Seriously, the number of presentation topics and the breath of the curriculum has been impressive this year, but even with all this expertise we cannot think of or organize every single thing you might want to talk about. We can, however, bring all of this talent to the same place and time. The number of ad hoc conversations at WWRUG's, BMC User World's and RUG's in their day just doesn't happen in other forums. So, in addition to all the formal instruction and shared knowledge, the opportunity to organize your own discussion among like interests is one of the best reasons to come to WWRUG. See you in SanJose! Next week! Doug -- Doug Blair +1 224-558-5462 Sent from my new iPad Auto-corrected typos, misspellings and non-sequiturs are gratefully attributed to Steve Jobs :-) On Oct 8, 2012, at 8:46 AM, "Longwing, LJ CTR MDA/IC" <[email protected]> wrote: > John, > I would personally be more concerned about someone having a 'clone' of my > system and gaining more information than them being able to glean much from > error messages. Yes, I understand that an error message from the underlying > vendor db (SQL Server) for example tells them what DB you are running > on....but I've never been exceedingly concerned about that...I guess I've > never been in a position where the system I support is so critical that > someone is going to attack it and any little piece of information provides > another nugget of capability to exploit. > > Being in DOD contracting I understand the concerns for security and such, I'm > just not sure what they would be do with something like the error they > described. > > -----Original Message----- > From: Action Request System discussion list(ARSList) > [mailto:[email protected]] On Behalf Of John Baker > Sent: Monday, October 08, 2012 7:36 AM > To: [email protected] > Subject: Results of a application pen-test - need to close holes > > LJ, > > 2. Improper error handling > > The concern would be that the SQL message may reveal information that allows > a third party to establish the type of database, IP address, etc. > They would then be in a position to mount an attack with information known > about that database, ie current security concerns etc. > > 5. Forced browsing > > You correctly identify a good SSO deployment (ie the JSS SSO Plugin :-) as a > solution to forced browsing, ie ensuring the user has authenticated before > being able to access a resource. > > > > > John > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 > www.wwrug12.com ARSList: "Where the Answers Are" > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org > attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are" > _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"
