Re: [Full-disclosure] Apache suEXEC privilege elevation / inform
On Sat, Aug 10, 2013 at 6:10 AM, Gichuki John Chuksjonia
<chuksjonia@gmail.com> wrote:
> One thing u gotta remember most of the Admins who handle webservers in
> a network are also developers since most of the organizations will
> always need to cut on expenses, and as we know, most of the developers
> will just look into finishing work and making it work. So if something
> doesn't run due to httpd.conf, you will find these guys loosening
> server security, therefore opening holes to the infrastructure.
Cognitive Bias and Dissonance are well known problems in security
engineering. NB's comments are a testament to the disconnect between
the creators of the system and the users of the system. (No offense to
NB).
See, for example, Peter Gutmann's Engineering Security
(www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf=E2=80=8E) or Ross Anderson's
Security Engineering (http://www.cl.cam.ac.uk/~rja14/book.html).
Jeff
討論串 (同標題文章)
完整討論串 (本文為第 4 之 32 篇):