Re: Government Compliance
From: Jay D. Dyson (jdyson_at_treachery.net)
Date: Thu, 16 Jun 2005 07:48:15 -0700 (PDT) To: Penetration Testers <email@example.com>
-----BEGIN PGP SIGNED MESSAGE-----
On Wed, 15 Jun 2005, Dave wrote:
> Ok, I have big problems with this. There are seperate and distinct
> requirements for maintaining password complexity, performing vuln scans,
> AND performing penetration testing. Any industry guideline or resource
> would never allow this "definition".
It's said that the Giraffe was a Horse designed by committee.
With that in mind, what you're seeing are security decisions made by
committee as well.
Sadly, a lot of agencies (government, corporate and alleged
institutions of higher learning) have the same approach. Managerial
politics and sales drones are more influential in policy decisions than
the input of clued security people. That's why we have 99% of the messes
we see today.
As a consequence, rather than having said organizations do some
serious legwork and construct a solution appropriate to IT requirements,
the managerial types tend to simply buy the sizzle of a salesman and go
with Brand X's COTS solution (sic). Similarly, Open Source solutions and
methodologies (most of which are far superior to COTS in most every
respect) are eschewed because "they cannot be trusted" and "they have no
tech support." (Their reasons, not mine.)
The solution? If you can find one, I'll put in a good word for
you at the Norwegian Nobel Committee. My successes in this area have been
limited to picking up the pieces after things go to hell and slowly
cultivating opportunities in which I can influence, alter, or annihilate
said policies. It ain't for the faint of heart.
> Am I wrong? Am I over reacting?
If you are, then I am as well.
( ( _______
)) )) .-"There's always time for a good cup of coffee"-. >====<--.
C|~~|C|~~| \----- Jay D. Dyson -- firstname.lastname@example.org -----/ | = |-'
`--' `--' `-- Pardon me, but am I on the right planet? --' `------'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.
-----END PGP SIGNATURE-----