-----BEGIN PGP SIGNED MESSAGE-----

I think its all covered. As it says on the page, the bulk will be in specifics in how to test each class of problem you have identified. That seems logical to me.

I would really like to see some way of determining if source code analysis or black box fault injection is the better approach for each problem. finding overflows is much easier as a source code analysis excercise for instance and cookie poisoning is probably easier as a pen test excercuse

Just my 2cents

On Tue, 8 Jan 2002 13:45:10 -0800 (PST), James Fleming <jamesfleming94588yahoo.com> wrote:
>What ever you do make sure its not like the Idea
>Hamster thing. Whilst its OK for general asssesment,
>applications are so much more indivisual and unique
>and a press this, press that thing just wouldnt work.
>
>I am prtty sure you could build a test script type
>thing though, like QA departments do. I think the list
>of attacks is a pretty good place to start, if you
>test all of those I dont see what else that is of
>concern. That said you should probably take into
>consideration thibgs like authorization, change
>control and some of the softer issues.
>
>You could inlclude all the various testing setups,
>like reverse proxies, browsers and commercial tools
>etc.
>
>Has anyone done any benchmarking of commercial tools ?
>
>__________________________________________________
>Do You Yahoo!?
>Send FREE video emails in Yahoo! Mail!
>http://promo.yahoo.com/videomail/
>

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wl8EARECAB8FAjw7qiUYHGF1dG8xMjUyNjhAaHVzaG1haWwuY29tAAoJEP1jVqi77IWl
AxsAnREHhRWYS1zuosALITzzhZffyDkpAJ93s9WdonBF0w9KIuxKla2h874O7w==
=SDOj
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]