In response to:
"How would you detect such a vulnerability without actually hacking the
system? Is one supposed to not notice these things? Will that really
make them go away?"
White Box and black box testing used in combination. These are not pen.
tests contrary to the belief of many people. An implementation test is
defined as a commission fault test. This requires full disclosure to be
effective. This is a common and known engineering principle.
Unfortunately many people who state that they are engineers are in fact
not engineers - engineering is a profession and requires certain
memberships in professional societies, qualifications etc. There may or
not be legislative support for this dependant on the country you happen
to be in - but this is another discussion.
A quality assurance rather than quality control argument is being held
without most of the people on the "we should be allowed to do what we
want side" understanding this. The argument of learning on systems that
you have no right to explore is flawed as you can not by definition
complete either a white box or black box test without being given the
rights. If you do not understand this point than it is time to engage in
further learning and education.
Regards
Craig S Wright
"White box testing is concerned only with testing the software product,
it cannot guarantee that the complete specification has been
implemented. Black box testing is concerned only with testing the
specification, it cannot guarantee that all parts of the implementation
have been tested. Thus black box testing is testing against the
specification and will discover faults of omission, indicating that part
of the specification has not been fulfilled. White box testing is
testing against the implementation and will discover faults of
commission, indicating that part of the implementation is faulty. In
order to fully test a software product both black and white box testing
are required."
Liability limited by a scheme approved under Professional Standards Legislation
in respect of matters arising within those States and Territories of Australia
where such legislation exists.
DISCLAIMER
The information contained in this email and any attachments is confidential. If
you are not the intended recipient, you must not use or disclose the
information. If you have received this email in error, please inform us
promptly by reply email or by telephoning +61 2 9286 5555. Please delete the
email and destroy any printed copy.
Any views expressed in this message are those of the individual sender. You may
not rely on this message as advice unless it has been electronically signed by
a Partner of BDO or it is subsequently confirmed by letter or fax signed by a
Partner of BDO.
BDO accepts no liability for any damage caused by this email or its attachments
due to viruses, interference, interception, corruption or unauthorised access.
