[Dshield] OK, so what would YOU test?

Brenden Walker BKWalker at drbsystems.com
Fri Apr 18 15:46:39 GMT 2008

> -----Original Message-----
> From: list-bounces at lists.dshield.org
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Phillip Reed
> Sent: Friday, April 18, 2008 9:57 AM
> To: list at lists.dshield.org
> Subject: [Dshield] OK, so what would YOU test?
> I'm being tasked for developing security testing strategies
> for my company.

<big snip>

This is a very difficult area to cover.

I'd like to direct you to: http://www.schneier.com/crypto-gram-0804.html#2

Read "The Security Mindset"

Unless you can cultivate/hire someone with the right skillset/mindset, all you can really do is test known hacks/problems against your software (buffer overflow/SQL injection..etc).  Testing all these known problem is of course good, and should be done.  The real problems are unknown attacks as far as I'm concerned.  To find those you need someone 'special', just finding that person could be very difficult.  How do you even recognize them?

For similar things we've chose to hire well established outside help.

Just my 2cents, YMMV.

More information about the list mailing list