Hosting Provided By

Re: secprog Digest 8 Dec 2002 02:29:20 -0000 Issue 121

From: David Wheeler <dwheeler(at)ida.org>
Date: Thu Dec 12 2002 - 09:55:33 EST

>
> Subject: A "straw man" vulnerability auditing checklist
> From: "Steven M. Christey" <coley@linus.mitre.org>

>>Would anyone like to share the sort of materials that resulted from
>>education in their workplace? Anyone interested in sharing generic
>>security tests they may have developed? Guidelines for code audits and
>>reviews (past Fagan-style type inspection)?

Antonomasia then replied:

 > It's quite handy but could do with an example in each section.  Some faults
 > could be categorised in a number of ways and it's hard to be sure the
 > same fault doesn't appear twice under a different title.  Also the list of
 > titles may not help much - does
 >     "3e. Missing/repeated/extra separator or delimiter"
 > mean things like a PGP 2 fingerprint having different interpretations
 > depending on key size ?
 >

Clarifying these entries somewhat would be fine. However, if the reader doesn't already know what these are, you need more than an example... you need an explanation of WHY it's a problem, and information how to fix it. At that point, you need a book.. but there's already one freely available Unix/Linux systems, see: http://www.dwheeler.com/secure-programs If you want a checklist, I suggest working to keep it short & clear, possibly with URL links to elsewhere for more information. Received on Thu Dec 12 13:17:02 2002

This message: [ Message body ]
Next message: David Wheeler: "Security Education - presentation experience"
Previous message: Secterm .: "Re: Security Education in the Workplace"
In reply to Antonomasia: "Re: A "straw man" vulnerability auditing checklist"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:44 EDT