[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: forming a security team for testing

hi ya

On Thu, 28 Oct 2004, Kim wrote:

> I am sorry if I have misunderstood anything but "whatever is needed to
> satisfy yourself" Since this is a personal matter isn't there chances that a
> person may miss important issues? I rather surgest a clear program of checks
> that at least must be done in order to avoid problems.

that's the tricky part .... eveybody will want different levels of

there should be minimum basic security  ( eg required updates )
there should be application based updates ( apache/exim/dns/fw/etc )
there should be kernel patches
there should be tcp wrappers and sshd config
there should be ids and what triggers "wake up now" vs "false alarms"
... on and on ...

we'd probably will need multiple "security checking" programs

harder or simpler issue will be:
	- how to test to see the apps is patched or not susceptible to
	the latest exploit in that package

	- latest/greatest may not necessarily be "more secure"

	- another major issue is "patch now" vs patch later after the
	project is released and than change to new environment,
	changing things in the dmiddle of a development cycle is no fun

- all security testing/qa/release cycles should be "automated"
	- we can all run the security scripts on our own machines
	and see if it dies or what it finds

	- it'd also be nice if the "security checking" can be
	distro nuetral
		( same files, same apps, same patches, etc )

c ya

Reply to: