Security Basics mailing list archives

Re: Getting the message to Testers

From: shawnmer <shawnmer () io com>
Date: Wed, 5 Mar 2003 01:46:59 -0600 (CST)

Hi James,

One suggestion I have is from the testing tools perspective.  In my 
experience a major stumbling block for testers is running *NIX attack 
tools, particularly if the developers are heavy Windows focused.  To help 
remedy this situation I put together a bunch of security tools and got 
them running on Knoppix <www.knopper.net>.  It's worked well in the sense 
that the developers can learn and run attack tools without the pain of 
*really* learning *NIX and the pain/joy of compilation, dependencies, etc.

Cheers,

-scm


JM:James McGee

JM>Hi
JM> 
JM>I have been asked to give a bit of a security speech to a team of 
JM>UserAcceptanceTesters at a meeting next month.
JM> 
JM>Their background is primarily testing W32 and AS400 applications, but 
JM>we are now going to be developing all new applications in a web based 
JM>format, with the potential to roll them out over the web.  (hence the 
JM>above request from the testing manager)
JM> 
JM>I am responsible for Firewall/IDS/Server security so I am reasonably 
JM>confident that area is OK.  However, as each new applicaion is going 
JM>to really do something completely different from another previous 
JM>application, I need a generic set of items which these guys should be 
JM>testing for.
JM> 
JM>Things I have on my list so far;
JM>Explain what Information Security is trying to achieve and why...i.e. 
JM>CIA, PAIN, etc.
JM>What physical and technology controls are in place, i.e. Firewalls, 
JM>IDS, Tripwire etc....
JM> 
JM>We have lots of rules in place for application development, but I 
JM>still get stuck when I have to say what sort of security related 
JM>things they should be testing for, but I think something along the 
JM>lines of
JM> 
JM>    No Privlelege escalation
JM>    RoleBased Access Control Mechanisms
JM>    Password complexity rules
JM>    Passwords cant be used again
JM>    
JM>Does anyone have any experience of this type of request?  And if so 
JM>have you any additional pointers that you'd like to share?  If not, 
JM>can anyone help me out with stuff I am missing?
JM> 
JM>With thanks in advance
JM> 
JM>
JM>James McGee
JM>CISSP
JM>Information Security Consultant
JM>Infosec LTD
JM>Tel: +44 (0)7092 014 046
JM>Fax: +44 (0)7092 014 046
JM>email james () infosec me .uk
JM>www.infosec.me.uk
JM>
JM>

Current thread:

Getting the message to Testers James McGee (Mar 04)
- Re: Getting the message to Testers shawnmer (Mar 05)
- Re: Getting the message to Testers security (Mar 05)
- <Possible follow-ups>
- Re: Getting the message to Testers Scott Schwendinger (Mar 06)