|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Penetration testing via shrinkware
Paul D. Robertson (proberts
clark.net)
Sat, 19 Sep 1998 23:19:58 -0400 (EDT)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Rodney van den Oever: "Re: placement of AG vs SPF"
- Previous message: Paul D. Robertson: "Re: Penetration testing via shrinkware"
- In reply to: John McDermott: "Re: Penetration testing via shrinkware"
- Next in thread: Marcus J. Ranum: "Re: Penetration testing via shrinkware"
- Reply: Marcus J. Ranum: "Re: Penetration testing via shrinkware"
- Reply: tqbf: "Re: Penetration testing via shrinkware"
- Reply: Ted Doty: "Re: Penetration testing via shrinkware"
On Fri, 18 Sep 1998, John McDermott wrote:
> By the same token, how can firewall testing be accomplished? Let us assume
> bug B. If there is no scanner for bug B because it is unknown until time
> T, then how can a firewall be certified at time <T that it protects itself
> and an internal network from bug B? That is, testing goes hand-in-hand
> with firewall certification, as I see it.
>
> If a firewall is certified to be correct wrt all known bugs on 1Sep98, how
> can it be guaranteed to be correct wrt some bug developed 10 September? It
> seems to me that certification of firewalls and scanners needs to be
> explicitly "as of date xx/xx/xxxx" and that all bets are off after that.
This assumes that you either can't model the vulnerabilities, or that
you're only testing via scanner. While it isn't 100% foolproof, there's
a lot to be learned from a B2 evaluation. Security modeling, code
walk-throughs, secure development methodologies, they all have their
place if you're going to build assurance. "After-the-fact" testing is
always _much_ more blind than during "construction" testing. Just as
crystal boxes tend to be better than black boxes in that regard.
If you go over the code in the IP stack for fragment handling, and you
know for certain how fragments should be handled, then you can probably
get a high assurance that they're handled correctly. If you throw lots
of fragments for lots of protocols at it, and your test doesn't encompass
overlapping fragments, your level of assurance is lower.
Hopefully, when they build a skyscraper or overpass they don't wait until
the thing is done to look at the structural integrity.
History in secure development is a good checkbox for me when I choose
vendors. I wouldn't choose a structural engineer based on the fact that
they'd painted houses pretty colors for years.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
probertsclark.net which may have no basis whatsoever in fact."
PSB#9280
- Next message: Rodney van den Oever: "Re: placement of AG vs SPF"
- Previous message: Paul D. Robertson: "Re: Penetration testing via shrinkware"
- In reply to: John McDermott: "Re: Penetration testing via shrinkware"
- Next in thread: Marcus J. Ranum: "Re: Penetration testing via shrinkware"
- Reply: Marcus J. Ranum: "Re: Penetration testing via shrinkware"
- Reply: tqbf: "Re: Penetration testing via shrinkware"
- Reply: Ted Doty: "Re: Penetration testing via shrinkware"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:47 CDT