RE: Why Security testing is required

["Ryan Cornelsen" <ryancor () microsoft com>]

By that same token, many people have a false understanding of what
"security" really means.  Security, whether it be physical, electronic,
or otherwise, only buys the user time.  Take a home safe for example.
You can buy the best safe on the market but given enough time and the
right tools anybody can break into it.  The same goes for electronic
security on computers.  That being said, the time that a good security
system buys you can often be the determining factor between a thief
hacking your system or giving up and moving on to a lesser protected
target.  The only question that remains is: "How much time do you need?"
The other thing people tend to overlook when it comes to securing a
computer is the physical security.  All the firewalls in the world won't
do you any good if somebody walks into your lab and takes the computer
itself or hooks up another computer directly to hack into it.  It's much
easier to hack a security system when physical access is gained to the
computer.

To give my own .02 cents on the original question, security testing is
important because you need to be proactive in finding new ways to hack a
system.  If you don't find the security flaw and plug it then someone
else will exploit it.  No matter how good you are, you will always miss
*something* when designing software, the only question is what and how
severe of a problem it is.

Ryan Cornelsen
-----Original Message-----
From: Navaneetharangan [mailto:navaneeth () innsolutions com] 
Sent: Wednesday, February 25, 2004 8:35 PM
To: security-basics () securityfocus com
Subject: RE: Why Security testing is required

Hi all,
A couple of days after reading this post, I came across a very
interesting definition for Security. The speaker actually said,
"Security doesn't lie in  keeping your money in a fireproof safe,
locking it and hiding the key in a far away island, but lies in making a
few such safes, locking them and asking a thief to try and break it."
This means that no security measure is complete without testing it
thoroughly.

Regards
C.Navaneetharangan CISA


-----Original Message-----
 
On Thursday 19 February 2004 05:07 pm, Matt Lyon wrote:
> > > Hi List,
> >
> > As a non technical person I want to know why security testing is
required
> > when all security systems like Firewall, IDS and content management
are in
> > place.
> >
> > This is a very basic question but I want to know answers from
different
> > users point of view like:-
good ?,





------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
----------------------------------------------------------------------------