Secure Coding mailing list archives
ddj: beyond the badnessometer
From: gem at cigital.com (Gary McGraw)
Date: Thu, 13 Jul 2006 11:05:01 -0400
Excellent post nash. Thanks!
I agree with you for the most part. You have a view of pen testing that
is quite sophisticated (especially compared to the usual drivel). I
agree with you so much that I included pen testing as the third most
important touchpoint in my new book "Software Security" www.swsec.com.
It is the subject of chapter 6. All the code review and architectural
risk analysis in the world can still be completely sidestepped by poor
decisions regarding the fielded software. Pen testing is ideal for
looking into that.
But there are two things I want to reiterate:
1) pen testing is a bad way to *start* working on software
security...you'll get much better traction with code review and
architectural risk assessment. {Of course, what nash says about the
power of a live sploit is true, and that kind of momentum creation may
be called for in a completely new situation where biz execs need basic
clue.}
2) pen testing can't tell you anything about how good your security is,
only how bad it is.
3) never use the results of a pen test as a "punch list" to attain
security
gem
company www.cigital.com
podcast www.cigital.com/silverbullet
book www.swsec.com
----------------------------------------------------------------------------
This electronic message transmission contains information that may be
confidential or privileged. The information contained herein is intended
solely for the recipient and use by any other party is not authorized. If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited. If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message. Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.
----------------------------------------------------------------------------
Current thread:
- ddj: beyond the badnessometer Gary McGraw (Jul 13)
- ddj: beyond the badnessometer Gadi Evron (Jul 13)
- ddj: beyond the badnessometer Nash (Jul 13)
- ddj: beyond the badnessometer Arian J. Evans (Jul 14)
- <Possible follow-ups>
- ddj: beyond the badnessometer Gary McGraw (Jul 13)
- ddj: beyond the badnessometer Daniele Muscetta (Jul 14)
- ddj: beyond the badnessometer Gadi Evron (Jul 14)
- ddj: beyond the badnessometer Daniele Muscetta (Jul 14)
- ddj: beyond the badnessometer Dana Epp (Jul 13)