Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] [WEB SECURITY] Re: comparing information security

from [coderman] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] [WEB SECURITY] Re: comparing information security to other industries
Date: Wed, 27 Dec 2006 04:15:50 -0800 
On 12/27/06, Michael Zimmermann <zim@vegaa.de> wrote:

...
I think, one possible way to improve the situation
is to follow the money to a lesser degree. In our
own job as well as in our role as a customer.
Ready for that?


if the answer is going to be YES, then the consumer (you) needs a
simple way to visibly and intuitively compare the relative security
merits of similar integrated systems / domains. [0]

some of the aspects / characteristics of interest may include:
- usability!
- defense in depth to guard against failures of privacy,
authentication, or availability [1]
- accountability and oversight of critical operations / privileges
- transparency to expert review and other methods of assuring
integrity (this is one aspect of security where open source software
may provide stronger reputation)

security has to begin at development and the tools for measuring
security aspects at this level and out into protocols and hardware
platform are few and rarely used.  (look at the MOKB for a recent
reminder...) [2]


0. application and/or operating system security is meaningless by
itself given the way the security flaws of either affect each other
from a user view or effective risk comparison.

1. this is one example where virtualization is a useful way to
constrain the attack surface presented to attackers.  chroot and other
resource access control methods can be viewed as a subset of
virtualization like isolation between security domains useful for
strong defense in depth along with existing best practices for
development and host integrity.

2. "Month of Kernel Bugs"
    http://projects.info-pull.com/mokb/
    [fuzz testing, automated regression and load/stress tests,
defensive coding techniques and other measures that address almost all
of the vulnerabilities on this list should be a standard part of any
software development process associated with components of a secure
computing base under the "methods of assuring integrity" aspect of
improving security (the secure computing base including anything
handling cryptographic keys or privileged operating system
functions).]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] WordPress Persistent XSS, David Kierznowski
Next by Date:  Re: [Full-disclosure] emergent security properties, Brian Eaton
Previous by Thread:  Re: [Full-disclosure] [WEB SECURITY] Re: comparing information security to other industries, Michael Zimmermann
Next by Thread:  Re: [Full-disclosure] [WEB SECURITY] comparing information security to other industries, Will Jefferies
Indexes:  [Date] [Thread] [Top] [All Lists]