> > Subject: A "straw man" vulnerability auditing checklist > From: "Steven M. Christey" <coleyat_private> > Date: Wed, 4 Dec 2002 19:47:51 -0500 (EST) > To: secprogat_private > > > Dana Epp asked: > > >>Would anyone like to share the sort of materials that resulted from >>education in their workplace? Anyone interested in sharing generic >>security tests they may have developed? Guidelines for code audits and >>reviews (past Fagan-style type inspection)? Antonomasia then replied: > It's quite handy but could do with an example in each section. Some faults > could be categorised in a number of ways and it's hard to be sure the > same fault doesn't appear twice under a different title. Also the list of > titles may not help much - does > "3e. Missing/repeated/extra separator or delimiter" > mean things like a PGP 2 fingerprint having different interpretations > depending on key size ? > Clarifying these entries somewhat would be fine. However, if the reader doesn't already know what these are, you need more than an example... you need an explanation of WHY it's a problem, and information how to fix it. At that point, you need a book.. but there's already one freely available Unix/Linux systems, see: http://www.dwheeler.com/secure-programs If you want a checklist, I suggest working to keep it short & clear, possibly with URL links to elsewhere for more information.
This archive was generated by hypermail 2b30 : Thu Dec 12 2002 - 10:08:46 PST