Re: [SL] SQL-Ledger vulnerability CVE-2006-4244

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

George,

> I am not saying they are naive if they trusted Dieter. What I say is
> that there is a lot more to security then just the application itself.
> Anyone who just slaps anything on a web server without any additional
> precautions is naive. Dieter does behave strangely sometimes I admit but
> he can not be held responsible for every one who just blindely installs
> SL and then hopes for the best. I understand that there is a problem, my
> point is though that if your server is safe there is no way anyone from
> outside (not an employee) can do anything if your setup is half sane.

Well, security is something you implement at every level, not just at the 
gateway.  So:  SSL: yes, Domain limits: Yes, server lockdown: yes, strong 
passwords: yes, secure session tracking: yes, database security: yes, 
database auditing: yes.   What you *don't* do is implement security in one 
area (like SSL or VPN) and expect that you don't need to worry about 
security anywhere else.  That's a fast way to get hacked.

Also, I'll tell you as someone who occasionally used to do database 
forensics professionally, 90% of hacks against a financial application 
happen from *inside* your organization.  The most likely reason for 
someone to hack SL is to commit malfeasance which is almost always going 
to be an employee.  So the fact that SL (or whatever) "isn't on the web" 
isn't a security policy.

-- 
--Josh

Josh Berkus
PostgreSQL @ Sun
San Francisco