nuqneH, Actually, both are quite useless and non-informative. (should i explain?) "fixing the holes" is, for my estimation, hardly more than 10% of computer security process. Thanks to stupid hollywood movies, customers are almost completely unaware of that :-( They still think a computer security expert is a person who performs attacks and provides a report if he succeeds. On Fri, Feb 17, 2006 at 12:43:49AM -0500, Seth Breidbart wrote: > "Marcus J. Ranum" <mjr@xxxxxxxxx> wrote: > > > If you're trying to understand the security properties of a > > system by breaking into it, you not producing valuable > > reports, anyhow. All you are doing is telling them where > > to put the next band-aid. > > I know of too many (more than none is too many) examples where a > company went to a Big Consulting Firm and asked for a report on the > security of their systems. Many tens of kilobucks later, they got a > fancy bound report that said "we couldn't break in" followed by 200 > pages of ass-covering by the consulting firm. Then they went to a > real security expert, who spent one day attacking their system and > gave them a report saying "here are the five easiest ways I found to > break into your system. Fix them and call me back." > > You might not consider that valuable; but how do you consider the > expensive fancy bound completely worthless report? > > Seth
