I learned of this post by Marcus Ranum through commentary by Dave Goldsmith. In brief, I agree with much of what MJR says. However, I think pen testers perform a valuable service. I do not think that it is possible for some modern enterprise code to be fully comprehended by any individual or team of developers or security engineers.
If the code cannot be fully understood statically, it must be tested dynamically. A live test will reveal how the system acts when working, and may reveal unanticipated interactions or vulnerabilities. In light of this fact, I think pen testers who unearth these flaws perform a valuable service. If it's not tested, it's not a service.
Update: Thanks to Tom's comment below, I changed the attribution to fellow Matasano poster Dave Goldsmith.
Selasa, 21 Februari 2006
Brief Thoughts on MJR Pen Testing Post
Langganan:
Posting Komentar (Atom)
0 komentar:
Posting Komentar