Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1998

NFR Wizards Archive: Re: Penetration testing via shrinkware

Re: Penetration testing via shrinkware

Marcus J. Ranum (mjrnfr.net)
Sun, 20 Sep 1998 21:14:26 -0400

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Eckard Mühlich: "Multiple CORBA-Servers"
Previous message: Christopher Nicholls: "Re: Penetration testing via shrinkware"
In reply to: Marcus J. Ranum: "Re: Penetration testing via shrinkware"
Next in thread: Paul D. Robertson: "Re: Penetration testing via shrinkware"
Reply: Paul D. Robertson: "Re: Penetration testing via shrinkware"

Paul D. Robertson wrote:
>[...] While it isn't 100% foolproof, there's
>a lot to be learned from a B2 evaluation. Security modeling, code
>walk-throughs, secure development methodologies, they all have their
>place if you're going to build assurance.

There's a lot to be learned but the price is insane, in terms
of person-effort and time-to-market. B2 evaluation and all that
orange book stuff is too slow and expensive to be applicable
to today's products.

*BUT* it's important to understand the principles behind them
so you can steal the good ideas and then shortcut from there.
For example, instead of laborious "proofs" that your security
model makes sense, substitute a solid design document that
explains the background behind your security architecture and
why you think it's any good. Instead of laborious external
code reviews, substitute a red team internal review of the
security critical chunks of code. Instead of a Trusted Computer
Base, substitute clean documentation of which chunks are security
critical and how they interact with other chunks, as well as
decently defined permission boundaries.

In other words, steal the good ideas from the past, but don't
chain yourself to the orange book albatross.

For developing security software there's no substitute for
having done it before and made a few mistakes. (I can show
you my scars! Ask Mudge about the many beers and vip vacation!)

That's what really scares me about things like NT security:
"Yesterday I was an undergraduate CS major. Today I am writing a
security policy for an operating system that will wind up on
90+% of the systems in the world by the year 2000" Joy, Joy, joy!

mjr.

--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr

Next message: Eckard Mühlich: "Multiple CORBA-Servers"
Previous message: Christopher Nicholls: "Re: Penetration testing via shrinkware"
In reply to: Marcus J. Ranum: "Re: Penetration testing via shrinkware"
Next in thread: Paul D. Robertson: "Re: Penetration testing via shrinkware"
Reply: Paul D. Robertson: "Re: Penetration testing via shrinkware"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:47 CDT