Reply to post: Interesting concept - but code and bugs should be separated...

Top tip? Sprinkle bugs into your code to throw off robo-vuln scanners

Drew Scriver

Interesting concept - but code and bugs should be separated...

As an application delivery engineer I dread the concept of introducing (lookalike) bugs at the code level.

However, it would be interesting to configure an application delivery controller (ADC) to respond to probes with bug-like 'features'.

That would keep the code clean, allow implementation of these 'bugs' without involvement from dev and/or app vendors, and still provide troubleshooting/validation without running into the security bugs.

It would, however, cause madness with security teams running (external) scans. I already have to 'patch' non-existing vulnerabilities because the security team's audit scan fails. Quick example: a scan from a well-known security scanning firm sent OpSec into a mad spin because a request to /xyz.cgi resulted in a 200 OK... At times I wonder if Don Quixote secretly is the patron of OpSec, but I digress.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019