Thanks for the information on this subject. I think I've learned two
things. One, this is hard to do. Two, don't trust the programmers.
It would be interesting to see how companies like Amazon and Facebook
handle application security. I'm sure they have this down to a science.
Maybe something along the lines of a security framework like sp800-30 by
NIST and ISO 27001.
Lots to learn...
On Wed, Feb 6, 2013 at 2:25 PM, Shane Spencer <shane@bogomip.com> wrote:
> Honestly.. I find the best approach to discovering the unknown to be
> starting from square one without any shortcuts. I like the idea of having
> two teams - one to use the software and find obvious issues and work on
> them and one elite haxor ninja crew to try everything else.
>
> Ain't no such thing as the best solution. That said.. always ask your
> friends to hack you. :) Infact that should just be a thing at all times..
> hack your buddies.
>
> - Shane
>
>
> On Wed, Feb 6, 2013 at 1:30 PM, Doug Davey <doug.davey@gmail.com> wrote:
>
>> The point of the audit software is to giving a finite list of flaws. If
>> you don't punch holes in your own security, and can detect when others do,
>> you can catch the tortoise.
>>
>> I think that the only way to build a secure site of a large size is to
>> use test based programming. That way any change to the program is verified
>> against all previous development automatically.
>>
>>
>> On Wed, Feb 6, 2013 at 12:36 PM, Marc Grober <marc@interak.com> wrote:
>>
>>>
>>>
>>> On Feb 6, 2013, at 11:21 AM, Tom Simes <simestd@netexpress.com> wrote:
>>> > Don't forget those sneaky individuals that roll their own distros, no
>>> > telling WHAT they are stuffing in the folds ;)
>>>
>>> Virtually anything can be hidden in plain sight in a *x system. As an SA
>>> do you run a regular report on changed time stamps? Clock anomalies?
>>> Reboots? sudo and su? How do you sort and address alarms and warnings? If
>>> you can't stop whatever, can you detect & remediate quickly enough? Bottom
>>> like is one of your worst enemies is your user demand for speed. Get rid of
>>> the users and life would be much more secure ;-)
>>>
>>> ---------
>>> To unsubscribe, send email to <aklug-request@aklug.org>
>>> with 'unsubscribe' in the message body.
>>>
>>>
>>
>
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Sat Feb 9 16:26:33 2013
This archive was generated by hypermail 2.1.8 : Sat Feb 09 2013 - 16:26:34 AKST