Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

[Laurelai <laurelai@xxxxxxxxxxxx>]

On 1/11/12 8:39 AM, Ferenc Kovacs wrote:
>     Because the ones with the so called ethics either lack the technical
>     chops or lack the enthusiasm to find simple vulnerabilities. Not very
>     ethical to take a huge paycheck and not do your job if you ask me.
>
>
> If the only thing missing to secure those systems was somebody being 
> able to use sqlmap and xss-me, then that could be fixing without 
> hiring people who already proved that they aren't trustworthy.
> from my experience, the lack of security comes from the management, 
> you can save money on that (and qa) on the short run.
> so companies tend to hire QSA companies to buy the paper which says 
> that they are good, when in fact they aren't.
> most of them don't wanna hear that they are vulnerable and take the 
> risks too lightly.
> if they would take it-security seriously it simply couldn't be owned 
> through trivial, well-known attack vectors.
>
> --
> Ferenc Kovács
> @Tyr43l - http://tyrael.hu
:D at least one person here gets it.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/