Re: Government Compliance

From: Jay D. Dyson (jdyson_at_treachery.net)
Date: 06/16/05

  • Next message: Smith, Michael J.: "RE: Government Compliance"
    Date: Thu, 16 Jun 2005 07:48:15 -0700 (PDT)
    To: Penetration Testers <pen-test@securityfocus.com>
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Wed, 15 Jun 2005, Dave wrote:

    > Ok, I have big problems with this. There are seperate and distinct
    > requirements for maintaining password complexity, performing vuln scans,
    > AND performing penetration testing. Any industry guideline or resource
    > would never allow this "definition".

             It's said that the Giraffe was a Horse designed by committee.
    With that in mind, what you're seeing are security decisions made by
    committee as well.

             Sadly, a lot of agencies (government, corporate and alleged
    institutions of higher learning) have the same approach. Managerial
    politics and sales drones are more influential in policy decisions than
    the input of clued security people. That's why we have 99% of the messes
    we see today.

             As a consequence, rather than having said organizations do some
    serious legwork and construct a solution appropriate to IT requirements,
    the managerial types tend to simply buy the sizzle of a salesman and go
    with Brand X's COTS solution (sic). Similarly, Open Source solutions and
    methodologies (most of which are far superior to COTS in most every
    respect) are eschewed because "they cannot be trusted" and "they have no
    tech support." (Their reasons, not mine.)

             The solution? If you can find one, I'll put in a good word for
    you at the Norwegian Nobel Committee. My successes in this area have been
    limited to picking up the pieces after things go to hell and slowly
    cultivating opportunities in which I can influence, alter, or annihilate
    said policies. It ain't for the faint of heart.

    > Am I wrong? Am I over reacting?

             If you are, then I am as well.

    - -Jay

        ( ( _______
        )) )) .-"There's always time for a good cup of coffee"-. >====<--.
      C|~~|C|~~| \----- Jay D. Dyson -- jdyson@treachery.net -----/ | = |-'
       `--' `--' `-- Pardon me, but am I on the right planet? --' `------'

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (TreacherOS)
    Comment: See http://www.treachery.net/~jdyson/ for current keys.

    iD8DBQFCsZE4xzN3WIW0edsRAgFpAJ9h6YoMygSv6dAcV+AxEavLgeMggACcD+tx
    lUPVcpbRhBpCtbADt2so5nU=
    =0i8c
    -----END PGP SIGNATURE-----


  • Next message: Smith, Michael J.: "RE: Government Compliance"