Is that exploit code showing your biggest threat?
Roger Grimes has a new article in his InfoWorld Security Adviser column - "Compiling exploit code: a network-security must."
He has some good advice about how to handle exploit code:
- carefully, and with much scepticism - "many exploits don’t work as advertised"
- on a separate machine - "many networks contain defenses that offset the exploit’s attack vector"
I really do doubt the benefits of this one, though: "testing exploit code gives you a sexy demonstration that can be used to convince team members and management about the value of your computer security defenses".
If your colleagues and management are that unconvinced of the value of security that they need you to take out a system or two in order to believe that you're doing your job, then surely that's the biggest security concern in your company - that none of the staff you need to support your efforts believe that better security is necessary.
I'd add one note of scepticism to the search for exploits - often the 'exploits' do little more than appear dangerous while executing ordinary behaviours. Anyone who's seen a web page that supposedly scans your hard drive and returns it to you, while doing nothing more scary than a link to file://c:/ will know what I mean. Sometimes, though, they're more subtle, such as the demonstrations that you can make Visual Studio run code simply by opening a project file. That's as designed, but it certainly sounds scary.