"Marcus J. Ranum" <mjr (at) ranum (dot) com [email concealed]> wrote:
> If you're trying to understand the security properties of a
> system by breaking into it, you not producing valuable
> reports, anyhow. All you are doing is telling them where
> to put the next band-aid.
I know of too many (more than none is too many) examples where a
company went to a Big Consulting Firm and asked for a report on the
security of their systems. Many tens of kilobucks later, they got a
fancy bound report that said "we couldn't break in" followed by 200
pages of ass-covering by the consulting firm. Then they went to a
real security expert, who spent one day attacking their system and
gave them a report saying "here are the five easiest ways I found to
break into your system. Fix them and call me back."
You might not consider that valuable; but how do you consider the
expensive fancy bound completely worthless report?
> If you're trying to understand the security properties of a
> system by breaking into it, you not producing valuable
> reports, anyhow. All you are doing is telling them where
> to put the next band-aid.
I know of too many (more than none is too many) examples where a
company went to a Big Consulting Firm and asked for a report on the
security of their systems. Many tens of kilobucks later, they got a
fancy bound report that said "we couldn't break in" followed by 200
pages of ass-covering by the consulting firm. Then they went to a
real security expert, who spent one day attacking their system and
gave them a report saying "here are the five easiest ways I found to
break into your system. Fix them and call me back."
You might not consider that valuable; but how do you consider the
expensive fancy bound completely worthless report?
Seth
[ reply ]