[SC-L] ddj: beyond the badnessometer

2006-07-13 Thread Gary McGraw
Hi all, Is penetration testing good or bad? http://ddj.com/dept/security/18951 gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com This electronic message transmission contains

Re: [SC-L] ddj: beyond the badnessometer

2006-07-13 Thread Gadi Evron
On Thu, 13 Jul 2006, Gary McGraw wrote: Hi all, Is penetration testing good or bad? http://ddj.com/dept/security/18951 It's great, but penetration testing of the network assesment types is useless as it takes a picture of what the network look slike TODAY, while tomorrow it's a

Re: [SC-L] ddj: beyond the badnessometer

2006-07-13 Thread Nash
On Thu, Jul 13, 2006 at 07:56:16AM -0400, Gary McGraw wrote: Is penetration testing good or bad? http://ddj.com/dept/security/18951 Test coverage is an issue that penetration testers have to deal with, without a doubt. Pen-tests can never test every possible attack vector, which means

RE: [SC-L] ddj: beyond the badnessometer

2006-07-13 Thread Gary McGraw
Excellent post nash. Thanks! I agree with you for the most part. You have a view of pen testing that is quite sophisticated (especially compared to the usual drivel). I agree with you so much that I included pen testing as the third most important touchpoint in my new book Software Security

RE: [SC-L] ddj: beyond the badnessometer

2006-07-13 Thread Dana Epp
Although pentesting isn't perfect, I think in the right scope it has the potential of acting in a vital role in the development lifecycle of a project. Building known attack patterns into a library which can be run against a codebase has some merrit, as long as you understand what the resulting