[aklug] Re: Information Systems Audit

From: Arthur Corliss <acorliss@nevaeh-linux.org>
Date: Wed Feb 06 2013 - 11:05:17 AKST

I haven't started a flame war in a while, so...

On Wed, 6 Feb 2013, Damien Hull wrote:

> I'm taking an information systems auditing class. Most of this requires an
> understanding of controles and how they apply to different systems and
> devices. It gets tricky when custom applications and websites are included
> in the audit.
>
> Are there any tools that can automate the process?
>
> According to material provided to the class, Rough Auditing Tool for
> Security is one application. It's supposed to audit C code for basic
> vulnerabilities.
>
> In the real world I would leave application and website auditing to the
> programmers. I'm just looking for more info on the subject.

Leaving security & auditing to the programmers would be a horrible mistake.
Most of the web jockies I've known may be able to come up with great
applications, but they typically know jack squat about security. There's a
reason why the web is one of the biggest attack vectors in use today.

It's not that they're not capable of understanding, but that their focus is
typically "make it do function a" without caring or anticipating side
effects b, c, and d.

Trust no one. Especially application developers.

         --Arthur Corliss
           Live Free or Die
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Wed Feb 6 11:05:29 2013

This archive was generated by hypermail 2.1.8 : Wed Feb 06 2013 - 11:05:29 AKST