Re: Thou shalt have no other gods before the ANSI C standard

From: Brian Inglis (Brian.Inglis_at_SystematicSW.Invalid)
Date: 02/24/05 

Date: Thu, 24 Feb 2005 16:10:50 GMT

On Wed, 23 Feb 2005 18:21:21 +0000 (UTC) in alt.folklore.computers,
daw@taverner.cs.berkeley.edu (David Wagner) wrote:

>JMFBAH wrote:
>>Consider the psychology of a person who is trying to break
>>security. They will approach it using the same sets of
>>tests that a quality control engineer would use with the
>>exception that this tester will not report the bug nor
>>fix it but use it.
>
>That turns out not to be the case. In the industry organizations with
>which I am familiar, testers usually aren't looking for the same kind
>of bugs that hackers are. In the software development organizations
>with which I am familiar, most testers are looking for functionality
>bugs rather than security bugs. Hackers find bugs that are obscure,
>corner cases that would never come up under normal settings.
>
>I've talked to quite a few folks on the industry side. They all report
>the same lament: testers who can effectively test for security are very
>rare, and it is hard to test for security. This should not be surprising,
>when you consider what testing is good at and not so good at.

It is also very hard to get project managers to even consider testing
security: they consider it part of the infrastructure and therefore
outside the scope of any development project, so do not treat it
seriously. This could partly explain why some internet facing
applications have egregious issues that allow breaches. 

-- 
Thanks. Take care, Brian Inglis 	Calgary, Alberta, Canada
Brian.Inglis@CSi.com 	(Brian[dot]Inglis{at}SystematicSW[dot]ab[dot]ca)
    fake address		use address above to reply

Relevant Pages