Comments on: An Ounce of Prevention is Worth a Pound of Cure

By: ehay2k

ehay2k — Wed, 09 Dec 2009 16:34:36 +0000

It is fascinating that people will spend more time defending their position of not fixing something rather that just implementing the fix. This applies not just to developers, but to anyone who creates or repairs things: carpenters, plumbers, bakers, etc. Pride is a funny thing.

Here’s what I ask them when I get pushback: Do you wash you hands after you use the restroom? Times are tough, so we are thinking of saving $$ by removing the soap and turning off the sinks. I guess, if you can do an audit to show all the microbial threats in the restroom, and then show that they WILL infect you (not just that they might, or that sometime down the road they may mutate or your immunity will diminish), then we can let you continue to wash your hands.

I find it always helps to have people take a more personal perspective on a problem.

By: Joseph Webster

Joseph Webster — Tue, 24 Nov 2009 19:09:01 +0000

As a security pro AND developer I’m constantly amazed by the bizarre attitude that some of my boneheaded cohorts have towards testers in general. They seem to take it as a personal affront when errors are found in their code. The developer should thank you for finding ANY bug (i.e. doing their job for them and preventing them from really looking like an idiot when it’s most important) rather than giving you static. It’s reasonable to assume that you should be be willing to give developers all of the details to assist in the fix, or that there may be a dispute as to nature of the flaw. But if it’s broke you fix it and thank whoever is trying to keep your buns out of the ringer. I can tell you for certain that if any of my direct reports reacted like the code monkey in your story, I’d bitch slap them so hard their unborn children would be well behaved.

By: King

King — Sun, 22 Nov 2009 20:20:14 +0000

Even if you could prove a bug is not exploitable today, that’s still no reason not to fix it. It could become exploitable tomorrow when some new feature is added.

By: Andy Steingruebl

Andy Steingruebl — Sat, 21 Nov 2009 06:38:35 +0000

Sorry, I was in complete agreement. Luckily I work somewhere where I can easily convince people to fix those types of bugs.. Yes, its quite tiring to have to create a working exploit for obviously buggy code….

By: Chris Eng

Chris Eng — Sat, 21 Nov 2009 02:20:27 +0000

@Anton: I think you’re agreeing with me but I’m not sure!

@Andy: I agree that a QA person or a developer benefits from seeing an actual exploit the first time they are exposed to a vulnerability class they haven’t seen before. It’s the “prove it to me or it’s not real” mindset that I’m tiring of.

By: Andy Steingruebl

Andy Steingruebl — Sat, 21 Nov 2009 01:14:27 +0000

I’ve had a policy that during a pentesting engagement, etc. we only have them craft working exploits if we have to, to show a complicated bug for the purposes of verifying that we have fixed it, not for the purposes of getting it fixed.

Also, Sometimes the best way for a QA person to understand a bug is through an exploit, or at least a partially working one.

Of course, where I work we actually take security bugs very seriously, and not everyone has this luxury.

By: Anton

Anton — Sat, 21 Nov 2009 00:18:16 +0000

The development of some exploits requires skills and time. It might be also not in the scope of your contract. As my last argument I normally request for a permission to publish a bug in a public security mailing list and let other people to confirm that. You didn’t see such mails, did you?.. ;-)
Some bugs might look not exploitable even from your humble opinion. Low down the risk rating, but it has to be fixed anyway.