Secure Coding mailing list archives
RE: How do we improve s/w developer awareness?
From: "Michael S Hines" <mshines () purdue edu>
Date: Thu, 02 Dec 2004 17:23:17 +0000
I've been trying to get IT Auditors and the Audit community in general to apply the same due dilligence to operating systems (infrastructure or general controls) that they apply to applications systems testing. I'm not aware of anyone in the IT Audit community doing OS audits - to verify that the systems work as advertised and do not fail where they should not. I become quite aware of this a few years ago when I was in a group doing Penetraiton Testing of an OS and discovered many flaws. Why don't auditors audit the OS? I, frankly, don't know. But Auditors do have the ear of upper management and they could be the ones indicating the weaknessed in the infrastructure that puts the organization at risk. We wouldn't put in a new payroll system without verifying that it works properly. Yet we're more than willing to unpackage and plug in a desktop computer without the same due dilligence. Why? It's beyond me. Perhaps if more people were asking the right questions to the right people ... ? Why we've come to accept the CTL_ALT_DEL 'three finger salute' as SOP is beyond me. Of course the issues above aren't limited to one particular OS. There are plenty of problems to go around. (see the work done at Univ of Wisconsin - the Fuzz Testing project http://www.cs.wisc.edu/~bart/fuzz/fuzz.html ) Mike Hines ----------------------------------- Michael S Hines [EMAIL PROTECTED]
Current thread:
- Re: How do we improve s/w developer awareness?, (continued)
- Re: How do we improve s/w developer awareness? Nick Murison (Nov 16)
- Message not available
- Choices Crispin Cowan (Nov 16)
- Re: Choices Nick Murison (Nov 16)
- Re: Choices Nick Murison (Nov 16)
- Re: How do we improve s/w developer awareness? Dana Epp (Nov 12)
- Re: How do we improve s/w developer awareness? Brian Utterback (Dec 02)
- RE: How do we improve s/w developer awareness? Michael S Hines (Dec 02)
- Re: How do we improve s/w developer awareness? [Virus Checked] graham . coles (Dec 02)
- Re: How do we improve s/w developer awareness? der Mouse (Dec 02)