Re: ADV: Re: [arslist] Results of a application pen-test - need to close holes
Hi there something weird is going on with this list, as there were more replies yesterday before the system went a bit weird last night.. The last post was about getting together at WWRUG12 for a get together to chat about exposing SRM to the public internet... I remember as someone offered to buy the first round :-) my colleague and I will be arriving tomorrow for Fairmont, and staying for the week for the conference... if we were to try and get everyone who cares about such a thing together, how would one go about that? this is our first ever WWRUG, so we are more likely to be the 2 people in the corner hiding and hoping someone talks to us :-) cheers dan ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: ADV: Re: [arslist] Results of a application pen-test - need to close holes
Dan, I'll be a first year this year too. Look me up and we can chat.doubt I'll be able to add much to the SRM to the public discussion, but according to my wife, I know how to talk non-stop...so lack of conversation isn't likely to be an issue :) -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Dan Miller Sent: Friday, October 12, 2012 2:05 AM To: arslist@ARSLIST.ORG Subject: Re: ADV: Re: [arslist] Results of a application pen-test - need to close holes Hi there something weird is going on with this list, as there were more replies yesterday before the system went a bit weird last night.. The last post was about getting together at WWRUG12 for a get together to chat about exposing SRM to the public internet... I remember as someone offered to buy the first round :-) my colleague and I will be arriving tomorrow for Fairmont, and staying for the week for the conference... if we were to try and get everyone who cares about such a thing together, how would one go about that? this is our first ever WWRUG, so we are more likely to be the 2 people in the corner hiding and hoping someone talks to us :-) cheers dan ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Results of a application pen-test - need to close holes
Hi John For the session timeout, i found the setting under web, in user preferences. looks like some people had no timeout setting at all, some had 5 hours. I have logged an internal RFC to globally reset everyone’s to one hour, and also to set mid-tier webserver timeout to the same to cover all bases. For the concurrent users, i confirmed that as long as the user does not have a fixed-license, + admin role, then they can not log in concurrently from multiple machines, so that one is closed. As for the auto-complete one, the specific comments from the pen-tester was as follows. he was not actually scanning cookies by the looks of it, more viewing the screen in front of him. he provided a screen show showing the web-browser offering the last 3 usernames used on that browser. it should be possible to stop browsers remembering a field value,. like online baking sites where no matter what the browser is set to, you can nOT remember the last value of the field from the last visit: Web applications allows user to store the password in the browser (remember password function). If auto complete feature is ON and an attacker gains access to the browser cache, can easily obtain the password in clear text and list down the complete user id’s present on particular application. cheers dan ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Results of a application pen-test - need to close holes
Dan The Java servlet apidocs does allow a max inactive value to be set on a session so I guess that's how it's being done, but the preference is an interesting design choice. The form auto-complete functionality is easy to achieve: http://stackoverflow.com/questions/2530/how-do-you-disable-browser-autocomplete-on-web-form-field-input-tag John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Results of a application pen-test - need to close holes
hi John so if i open up login.jsp on each of my mid-tiers, and i modiofy the code on lines 4 and 8, to include autocomplete=off you think i will get what i need? i am not a coder, so the fact this is JSP, does that matter? 1 td class=login nowrap=nowrap width=20 nbsp;/td 2 td class=login nowrap=nowrap id=LoginLabel-id 3 blabel for=username-id%=MessageTranslation.getLocalizedText(locale,User Name)%/label/b 4 input name=%=Params.USERNAME% maxlength=%=Params.USERNAME_LENGTH% id=username-id value=%=com.remedy.arsys.share.HTMLWriter.escape(name)% class=loginfield size=30 type=text 5 td class=login nowrap=nowrap width=20nbsp;/td 6 td class=login id=PasswordLabel-id nowrap=nowrap 7 label for=pwd-id%=MessageTranslation.getLocalizedText(locale,Password)%/label 8 input name=%=Params.PASSWORD% maxlength=%=Params.PASSWORD_LENGTH% id=pwd-id class=loginfield size=30 type=password 9 td class=Login nowrap=nowrap width=20nbsp;/td 10 td class=Login name=auth_label nowrap=nowrap 11 label for=auth-id%=MessageTranslation.getLocalizedText(locale,Authentication)%/label 12 tdinput type=text NAME=%=Params.AUTHENTICATION_STRING% id=auth-id maxlength=%=Params.AUTHENTICATION_STRING_LENGTH% class=loginfield size=30/td 13 td class=Login nowrap=nowrap width=20nbsp;/td 14 td class=loginfield nowrap=nowrapnbsp;/td 15 input type=button name=login value=%=MessageTranslation.getLocalizedText(locale, Log In)% onClick=doLogin();!--;--nbsp; 16 input type=button name=clear value=%=MessageTranslation.getLocalizedText(locale, Clear)% onClick=clearLogin();!--;-- 17 td class=Login nowrap=nowrapnbsp;/td 18 td class=Login nowrap=nowrapnbsp;/td 19 input type=hidden name=%=Params.TIMEZONE% value= 20 input type=hidden name=%=Params.PASSWORD_ENCRYPTED% value=1 21 input type=hidden name=%=Params.GOTO_URL% value=%=com.remedy.arsys.share.HTMLWriter.escape(nextPage)% 22 input type=hidden name=%=Params.SERVER% value=%=com.remedy.arsys.share.HTMLWriter.escape(server)% 23 input type=hidden name=%=Params.IP_OVERRIDE% value=0 24 input type=hidden name=initialState value=-1 25 input type=hidden name=%=HttpSessionKeys.TARGET_URL% value= ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Results of a application pen-test - need to close holes
Hello Yes, you can add autocomplete=off to input elements, ie: input name=%=Params.USERNAME% maxlength=%=Params.USERNAME_LENGTH% id=username-id value=%=com.remedy.arsys.share.HTMLWriter.escape(name)% class=loginfield size=30 type=text autocomplete=off John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Results of a application pen-test - need to close holes
Dan, 1 - Privilege Escalation - I can't speak to the service catalog (I think that's by design)...but if you need the preference record to be only viewable by themselves, you could change the permission on field 1 to only allow the 'Submitter' group access. This isn't a case of privilege escalation, simply a case of being able to do something the evaluator felt they shouldn't be able to do 2 - Improper Error Handling - Yes and No...I vaguely understand the concern, but I'm not entirely seeing the 'attack vector' based on the content of the messages 3 - No Session Timeout - Already addressed 4 - Concurrent User Sessions - Already addressed 5 - Forced Browsing - I'm not familiar with the ability to get into forms without authentication, but you could look into applying a 'filter' to your tomcat 'arsys' context, thus enabling forced authentication at the web serverideally you would want this authentication to be automatic (SSO) so that you don't first need to authenticate to the context, then ALSO need to log onto the remedy app...that would simply be annoying to the users 6 - Autocomplete - Already addressed 7 - Banner Grabbing - I have no information about this one...sorry, hopefully someone else can assist. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Dan Miller Sent: Sunday, October 07, 2012 4:15 AM To: arslist@ARSLIST.ORG Subject: Results of a application pen-test - need to close holes Hi forum, I hope you can help, and I am sorry in advance for the long post, but I am trying to get all this into one post, hoping that someone has gone through this exercise before. So basically, we had an application pen-test before releasing our remedy platform to the public internet. We got 7 things that we need to fix, some of them before we can go live, others that can wait a while. Summary: 1. Privilege Escalation 2. Improper Error Handling 3. No session time out 4. Concurrent User Sessions 5. Forced Browsing 6. Autocomplete feature 7. Banner Grabbing Below I have described them a little more with description, recommendation, but also the problem I have in getting them implemented. We are 18 months into our first ever Remedy journey, so security is something we have not really considered. Can you please help? 1. Privilege Escalation -- Description: - Privilege escalation in Remedy application allows a user to gain elevated access to resources that are meant a privileged user. It was observed that in Remedy a user can view / read other user’s Service catalogue and preference details. The privilege values should be checked from the database and not be stored in a client side cookie. Vulnerable Urls: https://hostname/arsys/forms/server-mame/SRS%3ACFGApplicationPreferences/Dialog+Console/?cacheid=aeabdc61format=html https:// hostname/arsys/forms/server-mame/SRS%3AServiceRequestConsole/enduser/?cacheid=1bc6c61format=html https:// hostname /arsys/atrium/ServiceCatalog.swf this means the user can get more rights than they are entitled too. In this case a test user was able to see other users preferences, this may need to go back to BMC if TT are unable to resolve as it may be an application fault. Recommended fix is to enable server side authentication and not client side which is currently in place. Recommendation: - It is strongly recommended to check the privilege values from the database before granting access to secured recourses applications. Problem: How do I even start with this one…. Is there something I am not doing in terms of application lock down? Is it something to do with object-list within mid-tier so URLs can be directly browsed to? 2. Improper Error Handling --- Description --- If a web application encounters an error condition it may need to display an appropriate error message. Sometimes these messages can be detailed enough to give away crucial information about the application. This information may include database schema/table names, user names, platform specific information etc. Applications giving out detailed error messages run the risk of exposing crucial information which can be used later to launch further attacks. Our Remedy installation seems to have been configured in an insecure way. Whenever the application encounters any kind of error condition (such as failed execution of an SQL query), an error message of failure SQL operation is sent back to the user’s browser. Example typical error: “The SQL database operation failed. : The data types text and varchar are incompatible in the equal to operator. (SQL Server 402) (ARERR 552)” Recommendation: In a live environment, application error messages should be kept as short
Re: Results of a application pen-test - need to close holes
Dan, For the session timeout, i found the setting under web, in user preferences: As Mr. Baker pointed out, there is also a global timeout setting in the Mid-Tier Configuration that's not changeable by the end user. Tim -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Dan Miller Sent: Monday, October 08, 2012 6:21 AM To: arslist@ARSLIST.ORG Subject: Re: Results of a application pen-test - need to close holes Hi John For the session timeout, i found the setting under web, in user preferences. looks like some people had no timeout setting at all, some had 5 hours. I have logged an internal RFC to globally reset everyone’s to one hour, and also to set mid-tier webserver timeout to the same to cover all bases. For the concurrent users, i confirmed that as long as the user does not have a fixed-license, + admin role, then they can not log in concurrently from multiple machines, so that one is closed. As for the auto-complete one, the specific comments from the pen-tester was as follows. he was not actually scanning cookies by the looks of it, more viewing the screen in front of him. he provided a screen show showing the web-browser offering the last 3 usernames used on that browser. it should be possible to stop browsers remembering a field value,. like online baking sites where no matter what the browser is set to, you can nOT remember the last value of the field from the last visit: Web applications allows user to store the password in the browser (remember password function). If auto complete feature is ON and an attacker gains access to the browser cache, can easily obtain the password in clear text and list down the complete user id’s present on particular application. cheers dan ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Results of a application pen-test - need to close holes
LJ, 2. Improper error handling The concern would be that the SQL message may reveal information that allows a third party to establish the type of database, IP address, etc. They would then be in a position to mount an attack with information known about that database, ie current security concerns etc. 5. Forced browsing You correctly identify a good SSO deployment (ie the JSS SSO Plugin :-) as a solution to forced browsing, ie ensuring the user has authenticated before being able to access a resource. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Results of a application pen-test - need to close holes
John, I would personally be more concerned about someone having a 'clone' of my system and gaining more information than them being able to glean much from error messages. Yes, I understand that an error message from the underlying vendor db (SQL Server) for example tells them what DB you are running onbut I've never been exceedingly concerned about that...I guess I've never been in a position where the system I support is so critical that someone is going to attack it and any little piece of information provides another nugget of capability to exploit. Being in DOD contracting I understand the concerns for security and such, I'm just not sure what they would be do with something like the error they described. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of John Baker Sent: Monday, October 08, 2012 7:36 AM To: arslist@ARSLIST.ORG Subject: Results of a application pen-test - need to close holes LJ, 2. Improper error handling The concern would be that the SQL message may reveal information that allows a third party to establish the type of database, IP address, etc. They would then be in a position to mount an attack with information known about that database, ie current security concerns etc. 5. Forced browsing You correctly identify a good SSO deployment (ie the JSS SSO Plugin :-) as a solution to forced browsing, ie ensuring the user has authenticated before being able to access a resource. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Results of a application pen-test - need to close holes
LJ Yes, the SQL error documented contains little value, but other messages could contain value. However, this all has to be balanced with, as you suggest, the type of data held in AR System. Service desk information is probably less sensitive than HR data, although infrastructure-related tickets may be of interest to a third party. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Results of a application pen-test - need to close holes
Could the FORCED BROWSING be a case of the tester having an open browser on a form and then opening another browser? Because they are logged in under one browser session a second will see the login and not ask for credentials. Fred -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Longwing, LJ CTR MDA/IC Sent: Monday, October 08, 2012 7:57 AM To: arslist@ARSLIST.ORG Subject: Re: Results of a application pen-test - need to close holes Dan, 1 - Privilege Escalation - I can't speak to the service catalog (I think that's by design)...but if you need the preference record to be only viewable by themselves, you could change the permission on field 1 to only allow the 'Submitter' group access. This isn't a case of privilege escalation, simply a case of being able to do something the evaluator felt they shouldn't be able to do 2 - Improper Error Handling - Yes and No...I vaguely understand the concern, but I'm not entirely seeing the 'attack vector' based on the content of the messages 3 - No Session Timeout - Already addressed 4 - Concurrent User Sessions - Already addressed 5 - Forced Browsing - I'm not familiar with the ability to get into forms without authentication, but you could look into applying a 'filter' to your tomcat 'arsys' context, thus enabling forced authentication at the web serverideally you would want this authentication to be automatic (SSO) so that you don't first need to authenticate to the context, then ALSO need to log onto the remedy app...that would simply be annoying to the users 6 - Autocomplete - Already addressed 7 - Banner Grabbing - I have no information about this one...sorry, hopefully someone else can assist. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Dan Miller Sent: Sunday, October 07, 2012 4:15 AM To: arslist@ARSLIST.ORG Subject: Results of a application pen-test - need to close holes Hi forum, I hope you can help, and I am sorry in advance for the long post, but I am trying to get all this into one post, hoping that someone has gone through this exercise before. So basically, we had an application pen-test before releasing our remedy platform to the public internet. We got 7 things that we need to fix, some of them before we can go live, others that can wait a while. Summary: 1. Privilege Escalation 2. Improper Error Handling 3. No session time out 4. Concurrent User Sessions 5. Forced Browsing 6. Autocomplete feature 7. Banner Grabbing Below I have described them a little more with description, recommendation, but also the problem I have in getting them implemented. We are 18 months into our first ever Remedy journey, so security is something we have not really considered. Can you please help? 1. Privilege Escalation -- Description: - Privilege escalation in Remedy application allows a user to gain elevated access to resources that are meant a privileged user. It was observed that in Remedy a user can view / read other user’s Service catalogue and preference details. The privilege values should be checked from the database and not be stored in a client side cookie. Vulnerable Urls: https://hostname/arsys/forms/server-mame/SRS%3ACFGApplicationPreferences/Dialog+Console/?cacheid=aeabdc61format=html https:// hostname/arsys/forms/server-mame/SRS%3AServiceRequestConsole/enduser/?cacheid=1bc6c61format=html https:// hostname /arsys/atrium/ServiceCatalog.swf this means the user can get more rights than they are entitled too. In this case a test user was able to see other users preferences, this may need to go back to BMC if TT are unable to resolve as it may be an application fault. Recommended fix is to enable server side authentication and not client side which is currently in place. Recommendation: - It is strongly recommended to check the privilege values from the database before granting access to secured recourses applications. Problem: How do I even start with this one…. Is there something I am not doing in terms of application lock down? Is it something to do with object-list within mid-tier so URLs can be directly browsed to? 2. Improper Error Handling --- Description --- If a web application encounters an error condition it may need to display an appropriate error message. Sometimes these messages can be detailed enough to give away crucial information about the application. This information may include database schema/table names, user names, platform specific information etc. Applications giving out detailed error messages run the risk of exposing crucial information which can be used later to launch further attacks. Our Remedy installation seems to have
Re: Results of a application pen-test - need to close holes
The CWE database does a good job of enumerating and outlining various weaknesses in applications. For this specific case, see CWE-209. http://cwe.mitre.org/data/definitions/209.html The pen-testing tools that are out there wrap around these commonly agreed upon weaknesses to generate a report of issues or potential issues. Manual pen-testing takes the same approach. Axton Grams On Mon, Oct 8, 2012 at 8:46 AM, Longwing, LJ CTR MDA/IC lj.longwing@mda.mil wrote: John, I would personally be more concerned about someone having a 'clone' of my system and gaining more information than them being able to glean much from error messages. Yes, I understand that an error message from the underlying vendor db (SQL Server) for example tells them what DB you are running onbut I've never been exceedingly concerned about that...I guess I've never been in a position where the system I support is so critical that someone is going to attack it and any little piece of information provides another nugget of capability to exploit. Being in DOD contracting I understand the concerns for security and such, I'm just not sure what they would be do with something like the error they described. -Original Message- From: Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG] On Behalf Of John Baker Sent: Monday, October 08, 2012 7:36 AM To: arslist@ARSLIST.ORG Subject: Results of a application pen-test - need to close holes LJ, 2. Improper error handling The concern would be that the SQL message may reveal information that allows a third party to establish the type of database, IP address, etc. They would then be in a position to mount an attack with information known about that database, ie current security concerns etc. 5. Forced browsing You correctly identify a good SSO deployment (ie the JSS SSO Plugin :-) as a solution to forced browsing, ie ensuring the user has authenticated before being able to access a resource. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: Results of a application pen-test - need to close holes
Listers, Sounds to me like you guys need to set a Birds of a Feather session about hardening the MidTier for use on the public Internet at WWRUG12 next week, huh? WWRUG12 has more than a hundred sessions this year, and some of them will touch on security issues, but what better way to bring together all of this expertise and interest? Of course, this would be the very first time that a bunch of experts, interested parties, customers, software designers and engineers changed the world with a couple of beers! We'll buy the first round :-). Second one too if it helps. Seriously, the number of presentation topics and the breath of the curriculum has been impressive this year, but even with all this expertise we cannot think of or organize every single thing you might want to talk about. We can, however, bring all of this talent to the same place and time. The number of ad hoc conversations at WWRUG's, BMC User World's and RUG's in their day just doesn't happen in other forums. So, in addition to all the formal instruction and shared knowledge, the opportunity to organize your own discussion among like interests is one of the best reasons to come to WWRUG. See you in SanJose! Next week! Doug -- Doug Blair +1 224-558-5462 Sent from my new iPad Auto-corrected typos, misspellings and non-sequiturs are gratefully attributed to Steve Jobs :-) On Oct 8, 2012, at 8:46 AM, Longwing, LJ CTR MDA/IC lj.longwing@mda.mil wrote: John, I would personally be more concerned about someone having a 'clone' of my system and gaining more information than them being able to glean much from error messages. Yes, I understand that an error message from the underlying vendor db (SQL Server) for example tells them what DB you are running onbut I've never been exceedingly concerned about that...I guess I've never been in a position where the system I support is so critical that someone is going to attack it and any little piece of information provides another nugget of capability to exploit. Being in DOD contracting I understand the concerns for security and such, I'm just not sure what they would be do with something like the error they described. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of John Baker Sent: Monday, October 08, 2012 7:36 AM To: arslist@ARSLIST.ORG Subject: Results of a application pen-test - need to close holes LJ, 2. Improper error handling The concern would be that the SQL message may reveal information that allows a third party to establish the type of database, IP address, etc. They would then be in a position to mount an attack with information known about that database, ie current security concerns etc. 5. Forced browsing You correctly identify a good SSO deployment (ie the JSS SSO Plugin :-) as a solution to forced browsing, ie ensuring the user has authenticated before being able to access a resource. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Results of a application pen-test - need to close holes
Dan, Without wishing to repeat John's feedback, much of what was highlighted needs to be tackled by BMC. However, there are a few items that puzzled me. 3. No session time out The Mid Tier runs on a Java web server with the standard servlet engine session timeout, so there is a timeout on sessions. It's set in the Mid Tier configuration and is not per user, but Mid Tier instance wide. I suspect it was set to a high value and hence the pen testers concluded it wasn't set. 6. Auto-complete feature I wasn't aware that the username/password is being stored in a cookie. Did they tell you which one? John -- SSO Plugin for BMC ITSM, Dashboards, Analytics. http://www.javasystemsolutions.com/jss/ssoplugin ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: ADV: Re: [arslist] Results of a application pen-test - need to close holes
hi John are you going to be a WWRUG this year? ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: ADV: Re: [arslist] Results of a application pen-test - need to close holes
Dan, Which John are you asking? I know one that has replied on this thread is registered. Another that replied is not, at least yet. Dave WWRUG12 Office Manager On Oct 7, 2012, at 5:40 PM, Dan Miller dan.mil...@bt.com wrote: hi John are you going to be a WWRUG this year? ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: ADV: Re: [arslist] Results of a application pen-test - need to close holes
Dan, I will be at WWRUG - I hope you are too. To me - this is one of the great things of WWRUG - to share real life stories... Dan - if you are going - please find me -- we can chat about experiences - and then you can help guide your company/team towards the solution that is right for them. -John On Sun, Oct 7, 2012 at 4:40 PM, Dan Miller dan.mil...@bt.com wrote: hi John are you going to be a WWRUG this year? ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are -- *John Sundberg* Kinetic Data, Inc. Your Business. Your Process. *WWRUG10 Best Customer Service/Support Award* *WWRUG09 Innovator of the Year Award* * * 651-556-0930 I john.sundb...@kineticdata.com www.kineticdata.com I community.kineticdata.com ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
