Lucien Fransman wrote: > I often wondered about this. An assessment is only as good as the assesser. > What is the use of a "i can break and exploit $foo application, and have > shown this in my tests", if it is done by a private exploit? Again, i'm
[...] > It only shows that the application has a bug, that is known to you or your > company. Will it benefit the company that is being tested? I am not so sure > about this. What would a company do with this kind of information? Fix the > bug? They can't because they dont have access to the source. Will it entice > the vendor to fix the vulnerability? No, as they dont know it exists. It shows that the company's security could/should be improved. Security must follow a layered approach. Perhaps you cannot fix the real problem (i.e. the bug) but you can avoid it to be exploited/abused. For instance, the pentester *probably* couldn't have exploited that 0-day overflow in that Linux critical server if it had Grsec running on. Or the pentester couldn't have exploited that 0-day SQL injection bug if Apache had been configured with some kind of application firewall (ModSecurity, etc). Or this hacked-by-0day server couldn't have been even accessed if the network were propperly segmented/firewalled. Or my IDS noticed the 0day exploitation (not very sure of this }:-)). Or I couldn't avoid the compromise but I had it logged to my syslog bullet-proof server. Or... <etc, etc> If I were a company, I'd like to know that I survived to 0day exploit attempts or at least I detected them. It's an important added value for me. -- Saludos, -Roman PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
