Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security SecProg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: "Selling" a code-audit.

from [Travis Schack] Network Security [Permanent Link]
Subject: Re: "Selling" a code-audit.
Date: 2 Sep 2004 19:37:56 -0000 
In-Reply-To: <20040830173905.15733.qmail@mail2.securityfocus.com>

Yvan,

There are many factors that can be influencing the hostile responses to your 
security findings.  Some you can control and others you cannot.  How is the 
audit being approached?  What is the objective of the audit?  Is this being 
forced on the development team from management?  Will there be attribution from 
the audit?  Are the findings presented as best practice or based on opinions?  
What is the experience level of the developer(s) that is providing the 
feedback?  Are the comments from developers or management?  

All you can do is emphasize that you are there to help and provide guidance 
based on your expertise, the experience of your team and company, and that all 
findings are based on best practices and known issues.  Do not become defensive 
yourself or hostile back.  Make sure that you are getting buy-in from the 
development team's management.  If one of the objectives of the audit is 
non-attribution, then the management of the team needs to stress this before 
the actual findings are presented to the team.  You are there to provide your 
findings as a security professional and it is up to the management of that 
company to decide if they will accept the findings or not.

Unfortunately, you will always have someone in the room that will not agree 
with you.  If you achieved all the objectives of the audit and base all 
findings on fact, best practices and known issues, it will be hard to dispute 
and you have accomplished your job as a security professional.

Travis Schack
Vitalisec Inc.




One of my primary responsibilities with my employer is performing code
audits; so far I have been fairly effective in a technical capacity, however
on almost every single code audit I have participated in I have received
hostile responses from the development team.  I have tried a variety of
approaches to develop a stronger rapport with the development team, however
in spite of my best efforts I find that going into a code audit I am already
fighting against preconceptions about why the code audit is being performed.


I understand that many people feel threatened when work they have done is
criticized; what I need to know is how I can minimize this and coax the
development teams into being more interactive than defensive.  Any pointers?
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Security Issues with STL?, D K
Next by Date:  Fwd: "Selling" a code-audit., John T. Cox
Previous by Thread:  RE: "Selling" a code-audit., Browne, Derek
Next by Thread:  RE: "Selling" a code-audit., Michael Howard
Indexes:  [Date] [Thread] [Top] [All Lists]