On Wed, Nov 02, 2005 at 11:14:22PM +0100, Bernd Eckenfels wrote: > In article <[🔎] 5c69840f54112c46968c22cfc3d3d632@turingstudio.com> you wrote: > > I'm looking for (preferably) a company, or individual, to attempt to > > breach a standard config I have created to deploy client applications > > in production. It is intentionally a minimal config which is tightly > > locked down and audited daily. > > I think it is very bad efficiency to do black-box testing. Because it > requires a very good attacker and much time to find a problem. And if you > dont find one, you can't be shure you are secure. It is much better to let > the external auditor verify your configuration. Give them access to all > config files and documentation, your risk matrix etc. This is much cheaper > and much more sucessfull. (This is tarting to get off-topic) You are in someway right: black-box testing does not give you as much coverage of present vulnerabilities than a proper security review But also somewhat wrong: a black-box test is much cheaper than a full security audit of a system. The main difference is that lots of work in the black-box tests are automated and lots of tools are available to do parts of the job, while a full system security review, including even a source code review if there are in-house applications, demands of more brains, skills and time. Regards Javier
Attachment:
signature.asc
Description: Digital signature