In response to: "How would you detect such a vulnerability without actually hacking the system? Is one supposed to not notice these things? Will that really make them go away?" White Box and black box testing used in combination. These are not pen. tests contrary to the belief of many people. An implementation test is defined as a commission fault test. This requires full disclosure to be effective. This is a common and known engineering principle. Unfortunately many people who state that they are engineers are in fact not engineers - engineering is a profession and requires certain memberships in professional societies, qualifications etc. There may or not be legislative support for this dependant on the country you happen to be in - but this is another discussion. A quality assurance rather than quality control argument is being held without most of the people on the "we should be allowed to do what we want side" understanding this. The argument of learning on systems that you have no right to explore is flawed as you can not by definition complete either a white box or black box test without being given the rights. If you do not understand this point than it is time to engage in further learning and education. Regards Craig S Wright "White box testing is concerned only with testing the software product, it cannot guarantee that the complete specification has been implemented. Black box testing is concerned only with testing the specification, it cannot guarantee that all parts of the implementation have been tested. Thus black box testing is testing against the specification and will discover faults of omission, indicating that part of the specification has not been fulfilled. White box testing is testing against the implementation and will discover faults of commission, indicating that part of the implementation is faulty. In order to fully test a software product both black and white box testing are required." Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.
