Robert Hurlbut Blog

Thoughts on Software Security, Software Architecture, Software Development, and Agility

Article on Penetration Testing

Friday, December 10, 2004 Comments

 .NET   ASP.NET   Personal   Security   Speaking 
Share:   Share on LinkedIn    Share on Twitter    Share on Google+    Share on Facebook   

[By way of Valery Pryamikov]

Gary McGraw writes today in sc-l mailing list:

The sixth article in my IEEE Security & Privacy magazine series called

"Building Security In" is on Penetration Testing.  This article was

co-authored by Brad Arkin (symantec) and Scott Stender.  As a service to

the community, we're making advance copies available here:


I am sure many of you already subscribe to S&P.  If you don't yet, you

should...check out


Previous articles in the series:

And, Dana Epp cites the same article and a part that really sums up the article:

However, it’s unreasonable to verify that a negative doesn’t exist by merely enumerating actions with the intention to produce a fault, reporting if and under which circumstances the fault occurs. If "negative" tests don't uncover any faults, we've only proven that no faults occur under particular test conditions; by no means have we proven that no faults exist. When applied to security testing, where the lack of a security vulnerability is the negative we're interested in, this means that passing a software penetration test provides very little assurance that an application is immune to attack. One of the main problems with today's most common approaches to penetration testing is misunderstanding this subtle point.

Timely, and indpendent of the article, I have submitted a proposal to talk on Penetration Testing with ASP.NET Applications at Code Camp III.

Share:   Share on LinkedIn    Share on Twitter    Share on Google+    Share on Facebook