Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Security vulnerability disclosure - part 1"] [Next entry: "oh the irony..."]

Mary Ann speaks - on security testing rules

I just found a new post by Mary Ann Davidson. The post is titled - (broken link) Let Us Now Praise (Not So) Famous Men and Women - this is mostly a post rambling on about military stuff that you can mostly skip over. I was interested and singled it out for one reason. There is a passage in the middle of it about a request from a colleague of Mary Ann's to use the ethical hacking team to test a certain product but to conduct the test purely within the boundaries of the described functionallity and policies of the product. I like Mary Ann's quote from her sister "Rules? There are no rules! This is war!" - This is true for any hacker. It is simply crazy to conduct a security test bounded by rules of what the application is supposed to do, hackers will try anything to break the application to try and get it to do something its not supposed to. This is how bugs are found that can be exploited. Hackers will not simply press buttons they use software to try every aspect of an application to break it, and then more.

Good post, I have come across similar cases where some developers tend to think that hackers will only use software in the ways that they have designed it. Its a very blinkered approach and why security is easy to break. Developers need to think like hackers when they are designing and creating new applications. This will help to make more secure applications. You need a devious mind, if you have one then its posisble to think of all of the possible attack scenarios and to code against them.

Nice snippit Mary Ann.