Firewall Wizards mailing list archives
Re[2]: Penetration testing via shrinkware
From: Richard Christie <richardc () sundown ncsc mil>
Date: Tue, 22 Sep 98 07:11:15 -0500
MJR Wrote:
*BUT* it's important to understand the principles behind them so you can steal the good ideas and then shortcut from there. For example, instead of laborious "proofs" that your security model makes sense, substitute a solid design document that explains the background behind your security architecture and why you think it's any good. Instead of laborious external code reviews, substitute a red team internal review of the security critical chunks of code. Instead of a Trusted Computer Base, substitute clean documentation of which chunks are security critical and how they interact with other chunks, as well as decently defined permission boundaries.
In other words, steal the good ideas from the past, but don't chain yourself to the orange book albatross.
What your really driving at Marcus is developing software in a trusted manner. Companies developing Firewall software should be evaluated by SEI for a Capability Maturity Model (CMM) rating. Companies that are at level 2 or level 3 of CMM have this kind of documentation, and already have in place peer reviews. Also, you can use the Trusted Development Methodology (used to be TSDM) and accomplish much of the same thing. Your right, the Orange Book evaluations take entirely too long, so why not evaluate the development process, and certify a product based on that evaluation? It won't get you a bullet proof Firewall, or bullet proof software, but what will? Surely not an orange book evaluation. Microsoft was given a C2 rating for Windows NT 3.1 *not* connected to a network. Richard Christie, SAIC
Current thread:
- Re: Penetration testing via shrinkware, (continued)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 23)
- Re: Penetration testing via shrinkware Ted Doty (Sep 24)
- Re: Penetration testing via shrinkware James Goldston (Sep 21)
- Re: Penetration testing via shrinkware Frederick M Avolio (Sep 21)
- encrypting modem arjo (Sep 22)
- Re: encrypting modem Leonard Miyata (Sep 23)
- Re: encrypting modem Michael Barkett (Sep 23)
- Re: encrypting modem iCefoX (Sep 23)
- Re: Re[2]: Penetration testing via shrinkware Marcus J. Ranum (Sep 23)
- Re: Penetration testing via shrinkware David Collier-Brown (Sep 24)
- Re: Re[2]: Penetration testing via shrinkware Perry E. Metzger (Sep 24)
- Re: Re[2]: Penetration testing via shrinkware Joseph S. D. Yao (Sep 24)
- Re: Penetration testing via shrinkware David Collier-Brown (Sep 24)