[Dailydave] Amusement
Adam Shostack
adam at shostack.org
Thu Oct 24 19:12:02 UTC 2019
Hi Dave,
This is a thought-provoking problem, thanks for sharing.
What resources do you find work best for explaining it? Are there
blog posts, presentations, etc? How does the argument that it doesn't
matter go? What needs to be addressed?
Adam
On Thu, Oct 24, 2019 at 12:32:54PM -0400, Dave Aitel wrote:
> So one of the hardest jobs as a penetration testing firm is when a new bugclass
> starts getting popular, for whatever reason, you have to find a way to explain
> to your clients that not only do they have to adjust their defenses, but the
> defenses they put in place for the last bugclass may, in fact, be
> counterproductive.
>
> This is the story of HTTP Desync, which I find hilarious. We're still
> struggling to explain it really, and right now it's hard to show what the
> impact is to clients. You mark it as High, they mark it as Low, and without a
> lot more work you're not going to have a ton of ability to argue the point.
>
> Likewise, fixing it requires...a ton of effort. I'm not even sure what to
> suggest. No doubt your client is just going to ignore it until someone big gets
> owned and then they're going to be annoyed at you for not pushing your point
> harder.
>
> But regardless, we find it on EVERY SINGLE ENGAGEMENT now, and I'm enjoying the
> ramp up everyone is going through. :)
>
> -dave
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
--
Adam Shostack
President, Shostack & Associates
https://associates.shostack.org • +1 917 391 2168
Join my very quiet announcement list: https://adam.shostack.org/newthing
More information about the Dailydave
mailing list