For the most part, I agree with Ben's comments. For completeness, a system can be as secure as possible if a vulnerability assessment of that system is conducted, and that information is then used to launch a "full disclosure pen-test" or perhaps more appropriately, a "verification analysis". However, like anything else, this is only a snapshot of the system in time. We then get into the change control/management process, and where verification testing fits in such a process. > But any "analysis" process should include external > verification - ie that > the box is doing what you told it to do, right? > > This is quite distinct from the traditional pen-test > in that it isn't blind. > > I think that to create the most secure system > possible, blind pen-testing is > a waste of time - __________________________________________________ Do You Yahoo!? Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger http://im.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Sep 13 2001 - 12:37:50 PDT