ddj: beyond the badnessometer

[ge at linuxbox.org (Gadi Evron)]

On Thu, 13 Jul 2006, Gary McGraw wrote:
> Hi all,
>
> Is penetration testing good or bad?
>
> http://ddj.com/dept/security/189500001

It's great, but "penetration testing" of the network assesment types is
useless as it takes a picture of what the network look slike TODAY, while
tomorrow it's a different network with different vulnerabilities.

Automating the process is the way to go.

As to software testing, it considerably depends on what you use. If you
test with SATAN-comparable tools, well, you won't get far.

> gem
>
> company www.cigital.com
> podcast www.cigital.com/silverbullet
> book www.swsec.com
>
>
> ----------------------------------------------------------------------------
> This electronic message transmission contains information that may be
> confidential or privileged.  The information contained herein is intended
> solely for the recipient and use by any other party is not authorized.  If
> you are not the intended recipient (or otherwise authorized to receive this
> message by the intended recipient), any disclosure, copying, distribution or
> use of the contents of the information is prohibited.  If you have received
> this electronic message transmission in error, please contact the sender by
> reply email and delete all copies of this message.  Cigital, Inc. accepts no
> responsibility for any loss or damage resulting directly or indirectly from
> the use of this email or its contents.
> Thank You.
> ----------------------------------------------------------------------------
>
> _______________________________________________
> Secure Coding mailing list (SC-L)
> SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php