OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: James Fleming (jamesfleming94588yahoo.com)
Date: Wed Jan 16 2002 - 11:17:55 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I disagree. It's not a competition who can find the
    most insidious holes with the least knowledge
    aforethought.

    The aim of any testing is surely to

    >validate that the security requirements have been met
    >validate there are no ways to breach a security
    policy
    >(if reqs and policy dont exist or are inadeuate)
    demonstrate vulneranilities so system owners can
    determine is they are acceptable risks.

    --- Nelson Sampaio Araujo Junior
    <nelsonlunenetworks.com.br> wrote:
    > Derek,
    >
    > You've got half of the idea.
    >
    > The point is that you need to have TWO independent
    > teams to test the
    > software. One of the teams will have access to
    > software internal
    > development, and the other team NOT.
    >
    > The main point is that even if you are an
    > independent tester, if you have
    > access to priviledged information, you will be
    > directed to the original
    > developer thoughts, which will take from you the
    > ability to think in other
    > approachs in a real independent way.
    >
    > Regards
    > Nelson Junior
    >
    >
    > On Tue, 15 Jan 2002, derek wrote:
    >
    > >
    > > With this, I cannot agree more!
    > >
    > > the programmer should not be the one testing the
    > software and having the
    > > final approval. There must be an "independant"
    > entity/dept/person with the
    > > responsibly for annoying the developer about every
    > bug they find.
    > >
    > > for instance:
    > >
    > > as a programmer I know exactly how my code should
    > work and I often make
    > > allowances while testing to get past one block of
    > code to get to and test
    > > another block....thoroughness is an issue.
    > >
    > > as a programmer I often have a bias as to how I
    > think the app should be
    > > presented to the user...the real users may not
    > agree (they often don't).
    > >
    > > Later,
    > > dj
    > >
    > >
    > >
    > > Nelson Sampaio Araujo Junior wrote:
    > >
    > > > You should have different teams for white box
    > testing e black box testing.
    > > >
    > > > When you know something, unconsciously you use
    > it. If you do black box after
    > > > the white box, you'll *not* get a black box. It
    > will be a gray-box, because
    > > > you'll tendend to think about what you have seen
    > before.
    > > >
    > > > To clarify this try: black, white and black
    > again. You'll see you will try
    > > > things in the first black you'll not be able to
    > figure if you know something
    > > > about the system.
    > > >
    > > > []s
    > > > Nelson Junior
    > > > nelsonlunenetworks.com.br
    > > > nelsonLUNE.com.br
    > > >
    > > >
    > >
    > >
    >
    > --
    > []s,
    > Nelson Junior
    > nelsonlunenetworks.com.br
    > nelsonLUNE.com.br
    >

    __________________________________________________
    Do You Yahoo!?
    Send FREE video emails in Yahoo! Mail!
    http://promo.yahoo.com/videomail/