Hello!
The comments on this profile are unclaimed and thus are unverified.
Do they belong to you? Claim these comments.
Chris E
Is this you? Claim Profile »
1 month ago
in The Security Implications Of Google Native Client on Matasano Chargen
Great article Chris! Thanks for writing it up.
1 year ago
in Ruby’s Vulnerability Handling Debacle on Matasano Chargen
Did I read that correctly? Ruby maintainers didn't have a release branch, so they patched the latest dev build and threw it out there, thinking there would be no problems?
Even without a branch, couldn't they have just rolled back to whatever revision corresponded to the release date, created a branch after the fact, and patched from there?
While Ruby is no Java in terms of maturity, it's still been around for long enough where there should be a more robust development/test process.
Even without a branch, couldn't they have just rolled back to whatever revision corresponded to the release date, created a branch after the fact, and patched from there?
While Ruby is no Java in terms of maturity, it's still been around for long enough where there should be a more robust development/test process.
1 year ago
in How To Hide^H^H^Handle Security Problems in Your Products on Matasano Chargen
Great essay. Thanks for reposting.
1 year ago
in In Which I Resolve A Titanic Semantic Conflict on Matasano Chargen
Good distinction. I guess maybe it is better described as the Art/Science combo versus Engineering... but that's a lot more syllables. :>
2 years ago
in On The Different Types Of Penetration Tests on Matasano Chargen
Chris_B, though pen testing can be classified as QA and the lines are becoming increasingly blurred between the two, QA tends to be more scripted than pen testing and usually doesn't require building customized tools each time. Product (or shrink-wrap) pen tests require a very different skillset, and they are few and far between.
2 years ago
in Avoid Really Wasting Money On Penetration Testing on Matasano Chargen
Oh sure Dave, link to me and then out-blog me! :)
All great advice though. On the "Testing environment should match production environment" tip, I'd add that it's also important to ensure that your testing environment is populated with realistic, production-like data. It's hard to exercise certain attack vectors when there is not sufficient data in the system.
All great advice though. On the "Testing environment should match production environment" tip, I'd add that it's also important to ensure that your testing environment is populated with realistic, production-like data. It's hard to exercise certain attack vectors when there is not sufficient data in the system.
2 years ago
in Joel Snyder Follows Up. Matasano Provides The Missing Subtext. on Matasano Chargen
ToddH, just because Joel may be a "long time security veteran" doesn't give him immediate credibility in web application security topics. Regardless of how scientific (or not) the Acunetix survey was, Joel's comments on Slashdot read like someone who has seen the OWASP Top 10 list but doesn't really understand how they work.
Oh, and just in case you missed it, Matasano guys, documenting a methodology to settle this silly dispute might help you "make a name for yourselves!" Don't miss this golden opportunity! :P
Oh, and just in case you missed it, Matasano guys, documenting a methodology to settle this silly dispute might help you "make a name for yourselves!" Don't miss this golden opportunity! :P
2 years ago
in Who Cares About Printer Attacks? on Matasano Chargen
Good post. I will admit that at @stake, we'd always chuckle a bit at the notion of pen testing a printer, but inevitably the thing would be full of vulnerabilities, largely because printer manufacturers don't fully grasp point #4 above.
One gating factor preventing printer-based malware and exploits from really taking off is the need to actually purchase the hardware. This is a similar barrier to what Chris Wysopal described in this post:
http://www.veracode.com/blog/?p=11
It's not nearly as expensive a barrier but still more expensive than spending 10 minutes downloading a piece of software. Although, given the lenient return policies of many online vendors, the cost of pen testing an expensive printer for 30 days can be reduced to the cost of shipping, if one were so inclined.
It was amusing the first time a co-worker showed me a digital photo they had taken of a printer LCD displaying an error message alongside the number 0x41414141.
One gating factor preventing printer-based malware and exploits from really taking off is the need to actually purchase the hardware. This is a similar barrier to what Chris Wysopal described in this post:
http://www.veracode.com/blog/?p=11
It's not nearly as expensive a barrier but still more expensive than spending 10 minutes downloading a piece of software. Although, given the lenient return policies of many online vendors, the cost of pen testing an expensive printer for 30 days can be reduced to the cost of shipping, if one were so inclined.
It was amusing the first time a co-worker showed me a digital photo they had taken of a printer LCD displaying an error message alongside the number 0x41414141.
