RE: How do we improve s/w developer awareness?

["Michael S Hines" <mshines () purdue edu>]

I've been trying to get IT Auditors and the Audit community in general to apply the same
due dilligence to operating systems (infrastructure or general controls) that they apply
to applications systems testing.

I'm not aware of anyone in the IT Audit community doing OS audits - to verify that the
systems work as advertised and do not fail where they should not.   I become quite aware
of this a few years ago when I was in a group doing Penetraiton Testing of an OS and
discovered many flaws.

Why don't auditors audit the OS?  I, frankly, don't know. 

But Auditors do have the ear of upper management and they could be the ones indicating the
weaknessed in the infrastructure that puts the organization at risk. 

We wouldn't put in a new payroll system without verifying that it works properly.  Yet
we're more than willing to unpackage and plug in a desktop computer without the same due
dilligence.  Why?    It's beyond me.  

Perhaps if more people were asking the right questions to the right people ...  ?  

Why we've come to accept the CTL_ALT_DEL 'three finger salute' as SOP is beyond me.  

Of course the issues above aren't limited to one particular OS.  There are plenty of
problems to go around.
(see the work done at Univ of Wisconsin - the Fuzz Testing project 
http://www.cs.wisc.edu/~bart/fuzz/fuzz.html )

Mike Hines
-----------------------------------
Michael S Hines
[EMAIL PROTECTED]