The fly in this ointment is that the testers (of whatever stripe) are being trusted to reveal all the flaws that they find. One way of assuring that is flaw injection, but it's imperfect, because you can never prove that failure to find the flaw was deliberate.
The same problem applies to penetration tests, which is why hiring former felons to do it is not risk-free. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]