From: Alex Holst <a@mongers.org>
To: Richie Taylor <Richie.Taylor@reasoning.com>
Date: Fri, 6 Aug 2004 19:50:10 +0200
Subject: Re: Web Application Vulnerability Assessment Tools
Message-ID: <20040806175010.GA12398@miracle.mongers.org>
User-Agent: Mutt/1.4.1i

Quoting Richie Taylor (Richie.Taylor@reasoning.com):
> Alex,
> 
> I was forwarded your email from a co-worker. I work for Reasoning Inc,
> an application code inspection company in Mountain View CA.
> 
> Reasoning www.reasoning.com provides a software defect detection
> service. We detect critical, crash-causing and data-corrupting defects
> like:
> 
> Memory leaks 
> Out-of-bounds array conditions
> Buffer Overflows
> NULL pointer dereferences

Richie,

Allow me to retort:

I was answering a question on the secprog list, not asking it. I am
currently not in need of a vulnerability assessment tool.

The question was specifically about SQL injection in web applications,
which you don't mention in your sales pitch.

You attached a 1 megabyte PDF document which will not render in this
UNIX console where I read my mail. I strongly suggest you simply provide
a link to any relevant documentation rather than forcing it down
potential customers throats.

One final point below this qouted text:

> Reasoning Enters Security Arena with New Application-level Security
> Inspection Service Security Inspection Service Minimizes Existence of
> Major Root-cause Vulnerabilities Behind 70% of CERT Advisories
> http://www.reasoning.com/newsevents/pr/03_08_04.html
>  
> "THE PERILS OF MODIFYING SOFTWARE"
> Study shows that modified code can increase defects three-fold
> http://www.esj.com/news/article.asp?EditorialsID=883
> http://www.reasoning.com/newsevents/pr/03_08_04.html

The above esj.com URL is vulnerable to SQL injection.

All in all, you contacted the wrong guy and didn't do very well of
adhering to good email etiquette and a major reference you use to sell
your security services is in itself vulnerable.

Enjoy your weekend.


Alex

-- 
I prefer the dark of the night, after midnight and before four-thirty,
when it's more bare, more hollow.                 http://a.mongers.org