Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I am a software developer -- but not a security specialist. A (legitimate) compa

ID: 654835 • Letter: I

Question

I am a software developer -- but not a security specialist. A (legitimate) company that does security scans sent my company a notice that we are running an older version of SSH on our hosting server. The company that runs our hosting server says that they cannot release the version of SSH that they are using but assures us that it is secure.

1. Should I trust the hosting company or the scanning company or neither?
2. How difficult is it to determine the version of SSH remotely? How is it that the security company can say what version of SSH we are running but the hosting company cannot.

Looking for advice on how to proceed.

Explanation / Answer

It sounds off that a service provider will not give you details of the product/service you are purchasing. That is like a contractor not telling you what wood he is using to build a house. I would remind your service provider that "security by obscurity" will not help a remote attacker from figuring our or just launching attacks against all versions of SSH.

You should check to see if you have a "right to audit" in your service contract, as that might give you the right to know this information (always try to get such language in your service provider contracts)

Do you have command line/shell access? If you do, you could try to check the version yourself.

In terms of the pen testers getting the wrong version, its entirely possible. Depending on the checks they ran (probably automated through a vulnerability scanner), certain characteristics may not give a 100% match. It's also possible to configure/compile your applications to lie about their versions, change banners, or for some intermediate proxy or load balancer to change this information.

However, it sounds like a red flag from the service provider that they will not release this information. You may want to let them know how important security is to your organization and that lack of sufficient security assurances could lead to taking your business elsewhere.

Related Questions

I am a cancer researcher. I have an antibody that recognizes the extracellular p
Question #200157
I am a college professor. I am not a morning person, butI teach a morning class.
Question #2915324
I am a college professor. I am not a morning person, butI teach a morning class.
Question #2950202
I am a complete beginner to java! I am working in eclipse to create a game of a
Question #3902535
I am a computer engineering student and trying to get the idea behind all these
Question #650066
I am a computer science master student. In a statistical learning theory course
Question #1375556
I am a computer science student interested in the field of security and just had
Question #662130
I am a developer of an open source project which is hosted in SourceForge. It st
Question #660451

Navigate

Previous
I am a self-taught programmer. I started programming about 1.5 years ago. Now I
Next
I am a software engineer and not an astrophysicist but I want to know if anyone

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.