Re: Penetration testing via shrinkware

["Marcus J. Ranum" <mjr () nfr net>]

Paul D. Robertson wrote:
> [...] While it isn't 100% foolproof, there's 
> a lot to be learned from a B2 evaluation.  Security modeling, code 
> walk-throughs, secure development methodologies, they all have their 
> place if you're going to build assurance.

There's a lot to be learned but the price is insane, in terms
of person-effort and time-to-market. B2 evaluation and all that
orange book stuff is too slow and expensive to be applicable
to today's products.

*BUT* it's important to understand the principles behind them
so you can steal the good ideas and then shortcut from there.
For example, instead of laborious "proofs" that your security
model makes sense, substitute a solid design document that
explains the background behind your security architecture and
why you think it's any good. Instead of laborious external
code reviews, substitute a red team internal review of the
security critical chunks of code. Instead of a Trusted Computer
Base, substitute clean documentation of which chunks are security
critical and how they interact with other chunks, as well as
decently defined permission boundaries.

In other words, steal the good ideas from the past, but don't
chain yourself to the orange book albatross.

For developing security software there's no substitute for
having done it before and made a few mistakes. (I can show
you my scars! Ask Mudge about the many beers and vip vacation!)

That's what really scares me about things like NT security:
"Yesterday I was an undergraduate CS major. Today I am writing a
security policy for an operating system that will wind up on
90+% of the systems in the world by the year 2000"  Joy, Joy, joy!

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr