[By way of Valery Pryamikov]
The sixth article in my IEEE Security & Privacy magazine series called
"Building Security In" is on Penetration Testing. This article was
co-authored by Brad Arkin (symantec) and Scott Stender. As a service to
the community, we're making advance copies available here:
I am sure many of you already subscribe to S&P. If you don't yet, you
should...check out http://www.computer.org/security/
Previous articles in the series:
And, Dana Epp cites the same article and a part that really sums up the article:
However, itâ€™s unreasonable to verify that a negative doesnâ€™t exist by merely enumerating actions with the intention to produce a fault, reporting if and under which circumstances the fault occurs. If "negative" tests don't uncover any faults, we've only proven that no faults occur under particular test conditions; by no means have we proven that no faults exist. When applied to security testing, where the lack of a security vulnerability is the negative we're interested in, this means that passing a software penetration test provides very little assurance that an application is immune to attack. One of the main problems with today's most common approaches to penetration testing is misunderstanding this subtle point.
Timely, and indpendent of the article, I have submitted a proposal to talk on Penetration Testing with ASP.NET Applications at Code Camp III.