Penetration Testing mailing list archives

Re: Government Compliance

From: "Jay D. Dyson" <jdyson () treachery net>
Date: Thu, 16 Jun 2005 07:48:15 -0700 (PDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 15 Jun 2005, Dave wrote:

Ok, I have big problems with this. There are seperate and distinctrequirements for maintaining password complexity, performing vuln scans,AND performing penetration testing. Any industry guideline or resourcewould never allow this "definition".

It's said that the Giraffe was a Horse designed by committee.With that in mind, what you're seeing are security decisions made bycommittee as well.

Sadly, a lot of agencies (government, corporate and allegedinstitutions of higher learning) have the same approach. Managerialpolitics and sales drones are more influential in policy decisions thanthe input of clued security people. That's why we have 99% of the messeswe see today.

As a consequence, rather than having said organizations do someserious legwork and construct a solution appropriate to IT requirements,the managerial types tend to simply buy the sizzle of a salesman and gowith Brand X's COTS solution (sic). Similarly, Open Source solutions andmethodologies (most of which are far superior to COTS in most everyrespect) are eschewed because "they cannot be trusted" and "they have notech support." (Their reasons, not mine.)

The solution? If you can find one, I'll put in a good word foryou at the Norwegian Nobel Committee. My successes in this area have beenlimited to picking up the pieces after things go to hell and slowlycultivating opportunities in which I can influence, alter, or annihilatesaid policies. It ain't for the faint of heart.

Am I wrong? Am I over reacting?


        If you are, then I am as well.

- -Jay

   (    (                                                      _______
   ))   ))  .-"There's always time for a good cup of coffee"-.  >====<--.
 C|~~|C|~~| \----- Jay D. Dyson -- jdyson () treachery net -----/ |    = |-'
  `--' `--'  `-- Pardon me, but am I on the right planet? --'  `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQFCsZE4xzN3WIW0edsRAgFpAJ9h6YoMygSv6dAcV+AxEavLgeMggACcD+tx
lUPVcpbRhBpCtbADt2so5nU=
=0i8c
-----END PGP SIGNATURE-----

Current thread:

Government Compliance Dave (Jun 16)
- Re: Government Compliance Kevin Lee (Jun 16)
- Re: Government Compliance David J. Bianco (Jun 16)
- Re: Government Compliance Diego Kellner (Jun 16)
- RE: Government Compliance Robert Hines (Jun 16)
- Re: Government Compliance Jay D. Dyson (Jun 16)
  - Re: Government Compliance R. DuFresne (Jun 16)
- AW: Government Compliance Jörg Maaß (Jun 16)
- <Possible follow-ups>
- Government Compliance Security Professional (Jun 16)
- RE: Government Compliance Kasyan, Walter A (Tony) (Jun 16)
- RE: Government Compliance Smith, Michael J. (Jun 16)
- Re: Government Compliance Tim Adams (Jun 16)
- RE: Government Compliance Keith T. Morgan (Jun 16)
- RE: Government Compliance Todd Towles (Jun 16)
- Re: Government Compliance frank_kenisky (Jun 16)
  - Re: Government Compliance Jeffrey Denton (Jun 16)

(Thread continues...)