Is Black Box Testing dead?


When I was reading through the OWASP ASVS 4.0 PDF a few weeks ago, I was stopped in my tracks as early as page 10. Specifically by the following quotes : "Black box testing is not effective assurance and must stop." "Over the last 30+ years, black box testing has proven over and over again
to miss critical security issues that led directly to ever more massive breaches."

Now, let me preface this with the clarification that this post is not an attack…

Thoughts on Security Policies


I was asked to write my thoughts about security policies down by a good friend of mine and spent the better part of a Sunday morning in April thinking about the topic. This post is the unedited version of the thought process. I'm sharing it here because it might prove useful for some of you.

How we got here

Security policies, for most organizations, came in vogue in the early 2000s as it became apparent that IT infrastructures became more and more import…