For the most part, I agree with Ben's comments. For
completeness, a system can be as secure as possible if
a vulnerability assessment of that system is
conducted, and that information is then used to launch
a "full disclosure pen-test" or perhaps more
appropriately, a "verification analysis".
However, like anything else, this is only a snapshot
of the system in time. We then get into the change
control/management process, and where verification
testing fits in such a process.
> But any "analysis" process should include external
> verification - ie that
> the box is doing what you told it to do, right?
>
> This is quite distinct from the traditional pen-test
> in that it isn't blind.
>
> I think that to create the most secure system
> possible, blind pen-testing is
> a waste of time -
__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Received on Sep 13 2001
Intro
