Secure Coding mailing list archives
ddj: beyond the badnessometer
From: ge at linuxbox.org (Gadi Evron)
Date: Fri, 14 Jul 2006 07:18:08 -0500 (CDT)
On Fri, 14 Jul 2006, Daniele Muscetta wrote:
On 7/13/06, Gary McGraw <gem at cigital.com> wrote:3) never use the results of a pen test as a "punch list" to attain securityYou are right, but very sadly, that's how it gets used by a lot of companies.... "hey, the pen testers found problem 1, 2, 3 - we fix those, we are fine". No way. But still.... I've seen this done in a lot of places....
Gary is correct on many issues, except for one:
pen-testing is NOT black-box testing. Black-box testing is comparable to
White-box testing in parameters of quantification.
How the client deals with the results is unrelated to the type of
results. It's directly linked to why they ordered the test and how they
treat security.
Gadi.
Best, Daniele
Current thread:
- ddj: beyond the badnessometer Gary McGraw (Jul 13)
- ddj: beyond the badnessometer Gadi Evron (Jul 13)
- ddj: beyond the badnessometer Nash (Jul 13)
- ddj: beyond the badnessometer Arian J. Evans (Jul 14)
- <Possible follow-ups>
- ddj: beyond the badnessometer Gary McGraw (Jul 13)
- ddj: beyond the badnessometer Daniele Muscetta (Jul 14)
- ddj: beyond the badnessometer Gadi Evron (Jul 14)
- ddj: beyond the badnessometer Daniele Muscetta (Jul 14)
- ddj: beyond the badnessometer Dana Epp (Jul 13)