Security Basics mailing list archives
Re: Getting the message to Testers
From: shawnmer <shawnmer () io com>
Date: Wed, 5 Mar 2003 01:46:59 -0600 (CST)
Hi James, One suggestion I have is from the testing tools perspective. In my experience a major stumbling block for testers is running *NIX attack tools, particularly if the developers are heavy Windows focused. To help remedy this situation I put together a bunch of security tools and got them running on Knoppix <www.knopper.net>. It's worked well in the sense that the developers can learn and run attack tools without the pain of *really* learning *NIX and the pain/joy of compilation, dependencies, etc. Cheers, -scm JM:James McGee JM>Hi JM> JM>I have been asked to give a bit of a security speech to a team of JM>UserAcceptanceTesters at a meeting next month. JM> JM>Their background is primarily testing W32 and AS400 applications, but JM>we are now going to be developing all new applications in a web based JM>format, with the potential to roll them out over the web. (hence the JM>above request from the testing manager) JM> JM>I am responsible for Firewall/IDS/Server security so I am reasonably JM>confident that area is OK. However, as each new applicaion is going JM>to really do something completely different from another previous JM>application, I need a generic set of items which these guys should be JM>testing for. JM> JM>Things I have on my list so far; JM>Explain what Information Security is trying to achieve and why...i.e. JM>CIA, PAIN, etc. JM>What physical and technology controls are in place, i.e. Firewalls, JM>IDS, Tripwire etc.... JM> JM>We have lots of rules in place for application development, but I JM>still get stuck when I have to say what sort of security related JM>things they should be testing for, but I think something along the JM>lines of JM> JM> No Privlelege escalation JM> RoleBased Access Control Mechanisms JM> Password complexity rules JM> Passwords cant be used again JM> JM>Does anyone have any experience of this type of request? And if so JM>have you any additional pointers that you'd like to share? If not, JM>can anyone help me out with stuff I am missing? JM> JM>With thanks in advance JM> JM> JM>James McGee JM>CISSP JM>Information Security Consultant JM>Infosec LTD JM>Tel: +44 (0)7092 014 046 JM>Fax: +44 (0)7092 014 046 JM>email james () infosec me .uk JM>www.infosec.me.uk JM> JM>
Current thread:
- Getting the message to Testers James McGee (Mar 04)
- Re: Getting the message to Testers shawnmer (Mar 05)
- Re: Getting the message to Testers security (Mar 05)
- <Possible follow-ups>
- Re: Getting the message to Testers Scott Schwendinger (Mar 06)