Re: [SC-L] Security in QA is more than exploits

2009-02-05 Thread bugtraq
For starters I believe you misinterpreted my comments on QA. I was in no way slamming their abilities. With this in mind comments below. Before anyone talks about vulnerabilities to test for, we have to figure ou= t what the business cares about and why. What could go wrong? Who cares? Wh=

Re: [SC-L] Security in QA is more than exploits

2009-02-05 Thread Andy Steingruebl
On Wed, Feb 4, 2009 at 11:17 AM, Paco Hope p...@cigital.com wrote: Before anyone talks about vulnerabilities to test for, we have to figure out what the business cares about and why. What could go wrong? Who cares? What would the impact be? Answers to those questions drive our testing

Re: [SC-L] Security in QA is more than exploits

2009-02-05 Thread Paco Hope
For starters I believe you misinterpreted my comments on QA. I was in no way slamming their abilities. With this in mind comments below. Sorry about that. I am sensitive to the bias. I went to a very small company once (10 people total) and as I looked around I saw offices with big LCDs (I

Re: [SC-L] Security in QA is more than exploits

2009-02-05 Thread Andy Steingruebl
On Wed, Feb 4, 2009 at 7:26 PM, Paco Hope p...@cigital.com wrote: Andy also said I think we lose something when we start saying 'everything is relative.' I think we lose something more important if we try to impose abolutes: we lose the connection to the business. No business operates on

Re: [SC-L] Security in QA is more than exploits

2009-02-04 Thread Wieneke, David A.
04, 2009 1:18 PM To: SC-L@securecoding.org Subject: Re: [SC-L] Security in QA is more than exploits All, I just read Robert's blog entry about re-aligning training expectations for QA. (http://bit.ly/157Pc3) It has some useful points that both developers and so-called security people need

Re: [SC-L] Security in QA is more than exploits

2009-02-04 Thread Paco Hope
All, I just read Robert's blog entry about re-aligning training expectations for QA. (http://bit.ly/157Pc3) It has some useful points that both developers and so-called security people need to hear. I disagree with some implicit biases, however, and I think we need to get past some stereotypes