Friday, May 27, 2005

Sofware Quality Risk Assurance: Feasible or Desireable?

For those of you who have never heard of the Metasploit project, now you have. This could be your worst nightmare or it could be your best ally.

This is the Metasploit Project. The goal is to provide useful information to people who perform penetration testing, IDS signature development, and exploit research. This site was created to fill the gaps in the information publicly available on various exploitation techniques and to create a useful resource for exploit developers. The tools and information on this site are provided for legal penetration testing and research purposes only.


In a recent presentation by Dr. Eric Cole, CTO of the Advanced Technology Research Center at Sytex, Metasploit was highlighted as a tool that could be utilized to attack your own systems. Why?

At the 50,000 ft. level, the logic goes something like this. You have to utilize the same tools that attackers use on your own networks to understand exactly where your vulnerabilities lie. If only the Chief Risk Officer or Chief Information Security Officer only knew what challenges they really face in the next phase of Information Warfare.

The ethics of providing such tools is no different than other debates that are embedded in the US Constitution. The Right to Bear Arms. At some point the topic of regulation will become louder than it is today. What really matters is that the technology companies invest more heavily in software quality assurance and they do more diligent testing. Many have realized the cost of catching a bug or vulnerability after general release costs exponentially more dollars to fix than at an early stage of software development.

And that is exactly why the Metasploit project exists. Six Sigma Software Quality Risk Assurance is neither feasible nor desirable for most companies who choose to develop operating systems and applications for the high technology sector.

No comments: