Test-suite for a password protected website

Daniel Pittman daniel at rimspace.net
Sun Dec 28 23:34:28 CST 2003


On Tue, 30 Dec 2003, leif eriksen wrote:
> well, that assumes a lot of things
> 
> 1. The wily hax0r has obtained shell access to your test machine (that is
> the target platform as this is a local test script, not a CPAN module) -
> which is hopefully behind your firewall.

Most reports from CERT and the like suggest that the biggest risk for
your systems is internal, not external, attacks. :)

> 2. If they get that far, they'll probably go for your production servers
> before your test boxes first. This gives us time to kill the shell with
> these env vars defined, or undefine them.

...or be a staff member (or student, or...) who now has access to the
otherwise protected data owned by your company or institution.

Much as you probably like and trust your coworkers, they are still the
biggest security risk your organization faces, and shouldn't be
discounted when doing security analysis.

           Daniel

-- 
Men will always be mad, and those who think they can
cure them are the maddest of all.
        -- Voltaire 



More information about the Melbourne-pm mailing list