Firewall Wizards mailing list archives
Re: Penetration testing via shrinkware
From: Ted Doty <ted () iss net>
Date: Mon, 21 Sep 1998 09:33:43 -0400
At 11:19 PM 9/19/98 -0400, Paul D. Robertson wrote:
While it isn't 100% foolproof, there's a lot to be learned from a B2 evaluation. Security modeling, code walk-throughs, secure development methodologies, they all have their place if you're going to build assurance. "After-the-fact" testing is always _much_ more blind than during "construction" testing. Just as crystal boxes tend to be better than black boxes in that regard.
ObDisclaimer: I survived two B1/2 evaluations (actually one Orange Book and one ITSec), and I build a scanner. The biggest problem in the evaluations was the quality of the evaluation teams. Teams with high caliber members, which operate together as a stable team for extended periods might be effective. What I saw was that you could count on neither. The upshot is that Orange Book methods can probably only be applied for products which place a premium on reliability - for example, medical applications. These systems will always be more expensive if developed under TCSec guidelines, and they will be upgraded with new features more slowly. This argues pretty strongly for less formal methods, such as peer review, for most products. I have never seen any data that suggest that formally-evaluated systems are (much, if any) higher quality than non-evaluated systems. If you make the assumption that each of the Orange Book implementations of {security modeling, code walk-throughs, secure development methodologies) will only catch a portion of the defects, the industry may be better served by a less formal/structured analysis combined with black box analysis. By "better served" I mean less expensive, easier to use products that provide roughly equivalent levels of protection. Then again, maybe not. However, I won't be taking my scanner anywhere near Orange Book until this is a *lot* more clear. Your mileage, as always, may vary. - Ted ----------------------------------------------------------------------- Ted Doty, Internet Security Systems | Phone: +1 678 443-6000 6600 Peachtree Dunwoody Road, 300 Embassy Row | Fax: +1 678 443-6479 Atlanta, GA 30328 USA | Web: http://www.iss.net ----------------------------------------------------------------------- PGP key fingerprint: 362A EAC7 9E08 1689 FD0F E625 D525 E1BE
Current thread:
- RE: Penetration testing via shrinkware, (continued)
- RE: Penetration testing via shrinkware Gary Crumrine (Sep 06)
- Re: penetration testing via shrinkware Arve Kjoelen (Sep 08)
- Re: Penetration testing via shrinkware Ryan Russell (Sep 19)
- Re: Penetration testing via shrinkware John McDermott (Sep 19)
- Re: Penetration testing via shrinkware Crispin Cowan (Sep 19)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware John McDermott (Sep 19)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 21)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 21)
- Re: Penetration testing via shrinkware Ted Doty (Sep 21)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 21)
- Re: Penetration testing via shrinkware Darren Reed (Sep 22)
- Re: Penetration testing via shrinkware Ted Doty (Sep 22)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware Joseph S. D. Yao (Sep 22)
- Re: Penetration testing via shrinkware Stephen P. Berry (Sep 24)
- Re: Penetration testing via shrinkware tqbf (Sep 21)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 20)
- Re: Penetration testing via shrinkware Joseph S. D. Yao (Sep 21)