From: Michael Sierchio (kudzu@tenebras.com)
Date: Wed Jul 13 2005 - 14:27:08 EDT
Tom Van de Wiele wrote:
> I find the concept of giving someone a certificate for resisting a
> penetration test very dangerous. Nothing can guarantee that after the
> test (especially a blind penetration test) all vulnerabilities have
> been found and identified.
It's all a matter of what the certificate attests to and how it
is interpreted.
I see nothing wrong with a statement affirming compliance with
consensus best practice, or acceptable resistance to the known,
relevant vulnerabilities on a certain date, etc.
This is by no means a guarantee of "safety" or "security," but
it might be a useful tool in establishing a disciplined approach
to risk.
Dubious analogy: my mechanic signs an inspection certificate that
says that the tire pressure, chain tension, steering, brakes, etc.
are in good condition on my motorcycle -- he's not promising that
I won't crash.
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:32 EDT