Re: Why Security testing is required

[Byron Sonne <blsonne () rogers com>]

> > As a non technical person I want to know why security testing is required
> > when all security systems like Firewall, IDS and content management 
> > are in place.

Security is a *process*, not a state of being or a product.

Testing is required because security is a very imperfect thing and it 
will change all the time. You need a feedback loop based on hardcore, 
honest evaluation so that you can adjust for your deficiencies and 
correct your errors.

It's kind of like going to the doctor for a periodic checkup... sure you 
might be living well, eating good and doing everything right, but that 
is absolutely no guarantee that there isn't something horribly wrong 
with you. Would you trust a bank or investment firm to manage your money 
 without providing to you periodic statements, or the ability to call 
them up at any point and ask how your money is? ;)

Much like real life, the criminals are always one step ahead of the 
cops. I would consider myself foolish if I would implicitly trust that 
the products and services I have purchased (or whipped up myself for 
that matter!) are really, truly doing their job. Firewalls can be 
bypassed, IDS fooled and content management skirted. Not that people 
strive to make bad products, but no one is perfect.

To paraphrase Mikhail Gorbachev "Trust, but Verify".

--

For Good, return Good. For Evil, return Justice.


---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_security-basics_040219
----------------------------------------------------------------------------