[Info-vax] Security research, was: Re: How would you load balance excess webserver traffic between multiple OpenVMS servers?

[Simon Clubley]

On 2021-01-14, Dave Froble <davef at tsoft-inc.com> wrote:
> On 1/13/2021 2:24 PM, Simon Clubley wrote:
>> As for WASD, the most glaring security flaw I remember was a directory
>> traversal flaw but there were several other issues identified.
>
> Marc seems to be rather good at fixing such when it's brought to his 
> attention.
>

Yes he is and those security researchers helped make WASD a better product
by finding flaws missed during the initial design.

>> The point I am making David is that outside parties probing a system
>> or application can reveal security flaws that have been around for years
>> whether that's a glaring security flaw such as the directory traversal
>> flaw in WASD or a disastrous flaw in DCL.
>
> I agree, except for your definition of disaster.
>

Good. I would hope that whenever the next batch of security research
is done on VMS and flaws are found, the community (and VSI) embrace the
researchers and thank them for their work instead of going into denial
and treating them as the enemy.

Trust me, it's not nice to be treated as the enemy when all you are trying
to do is to help people make their systems more secure.

>> There is a problem in the VMS world where some people think that because
>> no-one has bothered to look for vulnerabilities, then that means there
>> are no vulnerabilities to be found.
>
> Perhaps some, but not me.  I expect there may be such.  I don't declare 
> that they must exist.
>

I know it's not comfortable having inconvenient truths revealed.

The alternatives however are far worse.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.