Dr Cohen wrote:
> I am getting really confused. A lot of people on this list seem to
> think that testing is a theoretical thing that you do to stop
> theoretical threats, and that practical programers don't need to do
> testing because they can look at their code and know it's right.
It's theoretical as long as one only talks about it. Why don't you
publish a test specification? That would be a real thing.
> Most of the firewall vendors and other people on this list write
> programs, never test them at the boundary conditions, and assume that
> they works properly because the code looks right to them and seems to
> work when they try it on their application. When someone asks about
> boundary conditions, they say they have never tested it, but that they
> looked at the source code and figure it will work the same way under
> high stress conditions as under normal load conditions.
This is not the impression I have from reading this list. Nor the
impression I get from studying parts of the fwtk. Most programmers
probably test a lot of boundary conditions, and omit testing a lot of
boundary conditions. Heck, we live in a real world (at least I think
> The lack of
> experimental confirmation presents no problem for the producers or
> consumers and presents no impediment to the purchase of a firewall from
> such a vendor.
"experimental confirmation" as you well know (I gather from one of your
previous mails) has a very limited value. Since firewalls can be very
different, and put to very different usages, I believe that the most
effective testing has to be specified by end user and has to be
performed on site. As I wrote earlier, I'm working on a "security
policy" document which will include test specifications for different
scenarios. I would really appreciate help, ideas, pointers, etc,
/// Martin F