[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: whitehat to test a security config



On Wed, Nov 02, 2005 at 11:14:22PM +0100, Bernd Eckenfels wrote:
> In article <[🔎] 5c69840f54112c46968c22cfc3d3d632@turingstudio.com> you wrote:
> > I'm looking for (preferably) a company, or individual, to attempt to 
> > breach a standard config I have created to deploy client applications 
> > in production. It is intentionally a minimal config which is tightly 
> > locked down and audited daily.
> 
> I think it is very bad efficiency to do black-box testing. Because it
> requires a very good attacker and much time to find a problem. And if you
> dont find one, you can't be shure you are secure. It is much better to let
> the external auditor verify your configuration. Give them access to all
> config files and documentation, your risk matrix etc. This is much cheaper
> and much more sucessfull.

(This is tarting to get off-topic)

You are in someway right: black-box testing does not give you as much
coverage of present vulnerabilities than a proper security review

But also somewhat wrong: a black-box test is much cheaper than a full
security audit of a system. The main difference is that lots of work in the
black-box tests are automated and lots of tools are available to do parts of
the job, while a full system security review, including even a source code
review if there are in-house applications, demands of more brains, skills and
time.

Regards

Javier

Attachment: signature.asc
Description: Digital signature


Reply to: