db <[email protected]> writes:
G'day DB.
> Daniel um ... ok. I don't see how a security audit is any different to any
> other(audit). Audits should be done.
Absolutely. We are in complete agreement here.
Now I just have one last question, to help me understand what you are trying
to say: what do security audits have to do with penetration testing?
Perhaps this is just me, though. Maybe I am using the terms wrong or something:
My experience, to date, is that "penetrating testing" means that someone comes
along with their toolset and tries to break into the server. Usually,
"knocking on the door" of services, scanning for known vulnerabilities,
checking for weak passwords, that sort of thing.
What it *doesn't* include is any real degree of looking inside the system. No
auditing of your password policies, or your system configuration. No checks
on how you handle privilege separation.
Penetration testing is all about having someone run tests on the "black box"
system to see if they can find any security issues.
A "security audit", on the other hand, is very "white box": you pay someone to
come along, systematically look at every aspect of the system, compare it to
your documented plan for maintaining security, then report on how you did in
practice compared to theory.
Based on those definitions I see the two of them as quite distinct tasks, and
one of them as much more valuable. :)
Daniel
--
✣ Daniel Pittman ✉ [email protected] ☎ +61 401 155 707
♽ made with 100 percent post-consumer electrons
Looking for work? Love Perl? In Melbourne, Australia? We are hiring.
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
