Security musings (reflectorium)
Security musings (reflectorium)
Thursday, February 26, 2004
  Open Source Methodologies for Security Testing
I went to a FIST conference the other day in Frankfurt (at the university there). It took from 18:00 to 21:00, a bit more than a dozen people in attendance (incl. Alberto from CISSP-FFM!).
From the invitation: "FIST Conferences are free and open events where to present and talk different aspects of Penetration Testing and Information Security. Presentation of recent conferences in Madrid, Bombay, Delhi, Bangalore, Pune are available here...."
The final agenda was
  • Introduction - by Frank Sadowski, Cordinator OISSG Frankfurt and Balwant Rathore from OISSG
  • Information System Security Testing Framework (ISSTF) draft - by Balwant Rathore, CISSP from OISSG
  • ISSTF Web Application Security Testing Approach by Frank Sadowski

We had good discussions, especially on the risks in penetration testing and the overall need for a good methodology for Web Services testing. - I went away with the feeling that while penetration testing is at times "appealing" to management, from my point of view it has its shortcomings:
  • Penetration test findings are often wiped away by the IT dept., with a simple "ok, we'll patch the servers then"
  • You really test the skills/abilities of the pen testers, not the environment.
  • Noone can tell whether spending 100,000 USD instead of 20,000 USD has an added benefit.

Interesting enough, there are other (rival?) groups pondering open methodologies for security testing, e.g.
---
http://www.ncjrs.org/
http://virlib.ncjrs.org/lawe.asp?category=48&subcategory=193
Electronic Criime Scene Investigations - Guide for first responders
http://www.ncjrs.org/pdffiles1/nij/187736.pdf
---
WS-I releases Web Services Security Scenarios
http://www.ws-i.org/
http://www.techweb.com/wire/story/TWB20040225S0014
http://www.ws-i.org/Profiles/BasicSecurity/2004-02/SecurityScenarios-0.15-WGD.pdf
  permanent link
Comments: Post a Comment


Me enjoying a "Mate-Club", Alt-Landsberg near Berlin, summer 2003.

RSS Feed now atom.xml!
My public bloglines universe

Essential Security Web-Sites
Internet Head Up Display, Internet Storm Center incl. Handler's Diary NewsNow.co.uk on Virii and Security - Messagelabs stats, Trendmicro, Symantec, CAI, McAffee, F-Secure -- securityfocus, packetstorm

Recently added Detections from CAI
Standalone Virus Cleaner
Trendmicro Sysclean and Signature, Symantec Removal tools, Stinger from McAfee, F-Secure removal tools, Bitdefender free removal tools
The Internet Traffic Report monitors the flow of data around the world. It then displays a value between zero and 100. Higher values indicate faster and more reliable connections.
ARCHIVES
11/01/2003 - 12/01/2003
/ 12/01/2003 - 01/01/2004
/ 01/01/2004 - 02/01/2004
/ 02/01/2004 - 03/01/2004
/ 03/01/2004 - 04/01/2004
/ 04/01/2004 - 05/01/2004
/ 05/01/2004 - 06/01/2004
/ 06/01/2004 - 07/01/2004
/ 07/01/2004 - 08/01/2004
/ 08/01/2004 - 09/01/2004
/ 09/01/2004 - 10/01/2004
/ 10/01/2004 - 11/01/2004
/ 01/01/2005 - 02/01/2005
/ 02/01/2005 - 03/01/2005
/ 03/01/2005 - 04/01/2005
/ 04/01/2005 - 05/01/2005
/ 05/01/2005 - 06/01/2005
/ 06/01/2005 - 07/01/2005
/ 07/01/2005 - 08/01/2005
/ 01/01/2006 - 02/01/2006
/ 02/01/2006 - 03/01/2006
/ 03/01/2006 - 04/01/2006
/ 06/01/2006 - 07/01/2006
/ 08/01/2006 - 09/01/2006
/ 09/01/2006 - 10/01/2006
/ 12/01/2006 - 01/01/2007
/ 03/01/2007 - 04/01/2007
/ 05/01/2007 - 06/01/2007
/ 07/01/2007 - 08/01/2007
/ 08/01/2007 - 09/01/2007
/ 10/01/2007 - 11/01/2007
/ 11/01/2007 - 12/01/2007
/ 12/01/2007 - 01/01/2008
/ 02/01/2008 - 03/01/2008
/ 09/01/2008 - 10/01/2008
/ 10/01/2008 - 11/01/2008
/ 03/01/2009 - 04/01/2009
/ 09/01/2009 - 10/01/2009
/ 11/01/2009 - 12/01/2009
/ 01/01/2010 - 02/01/2010
/ 02/01/2010 - 03/01/2010
/ 06/01/2010 - 07/01/2010
/


Powered by Blogger


related blogs: general and family research