[attrition] rant: Ejection Seats, Cooking Dinner, and Vuln Disclosure
lyger
lyger at attrition.org
Tue Apr 6 01:59:11 UTC 2010
http://attrition.org/security/rants/disclosure01.html
Mon Apr 5 21:46:28 EST 2010
By: d2d
Doing info-sec for a small company has its highs and lows. Your
organization is too small to afford market leaders, so you buy software
from niche-market vendors. Software that you know is less tested, and so
you feel more obligated to do due diligence in your own internal
assessments. That is somewhat of a 'high' point if testing apps is
something you enjoy.
If that was all, a gig like mine would be pretty nice. There is nothing
more fun than finding a big-ass flaw in a piece of software (that you
didn't write, that is). From that initial hunch, to that little thing you
noticed that made you think you were onto something, to the cigarette
breaks where you ponder new avenues to approach it from, right up to that
pinnacle when you finally find that big vuln. The feeling is a bit
universal too, whether testing a web app, some java servlet, or a full-on
daemon.
To me, if I search a piece of software on OSVDB.org and I find nothing,
then I'm nearly guaranteed that nobody has _really_ looked at this thing,
or at least not published their findings. So yeah, some of the work is
great. The fun tends to stop right there though.
[...]
More information about the attrition
mailing list