> The idea that any application is installed on a server that is open to the > internet, or even if used internally, should be installed in such a way that > is open to hacking by default is, quite frankly, ridiculous.
I've got bad news for you. Stick this in Google: [product] default vulnerability and prepare to be amazed. Some suggestions: PHP, IIS, Apache. Not all allow remote users to execute arbitrary code, but plenty do. > I have been responsible for corporate level global infrastructures including > the use of firewalls, VPNs, etc. If you have ever worked with any high > standard product you will be aware that features remained closed by default. > You don't install a firewall and find all the ports are open and you have to > select which to close, quite the reverse. I submit to you that it should not be surprising that products explicitly designed for security purposes, like firewalls and VPNs, will be expected to be secure by default. > The notion that it's the sys admins fault if a product installs in an > unsecure way beggers belief. No, that's not the sysadmins' fault. But leaving a product at the default install state on an untrusted network - that IS the sysadmins' fault. How is a sysadmin going to make sure that the developers' applications are secured properly, if he doesn't know enough to secure the one web application that's packaged with the product? Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358204 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
