On Fri, 14 Jul 2006, Daniele Muscetta wrote:
> On 7/13/06, Gary McGraw <[EMAIL PROTECTED]> wrote:
> >
> > 3) never use the results of a pen test as a "punch list" to attain
> > security
> >
>
>
> You are right, but very sadly, that's how it gets used by a lot of
> companies....
> "hey, the pen testers found problem 1, 2, 3 - we fix those, we are fine". No
> way. But still.... I've seen this done in a lot of places....
Gary is correct on many issues, except for one:
pen-testing is NOT black-box testing. Black-box testing is comparable to
White-box testing in parameters of quantification.
How the client deals with the results is unrelated to the type of
results. It's directly linked to why they ordered the test and how they
treat security.
Gadi.
>
> Best,
>
> Daniele
>
_______________________________________________
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
