Re: Vulnerability Scanning Doesn't Work

[krymson () gmail com]

Mr. Desautels,

The impression I get is that you blanket despise any automated testing? Maybe I'm wrong in that impression, but that 
seems like a dangerously narrow view. Are there any pen-testers who do not use any automation at all?

Further, let's say a good pen-tester does her testing manually and uses a good methodology and gives a certain 
deliverable. Almost certainly she will re-use that same deliverable template for another client, just like using the 
same methodology.

Isn't one of the points of re-using consistent methodologies so you don't have to reinvent the whole test over again 
the next time? It would follow that as she does more assessments, she will automate various pieces so that her time 
commitment lessens on those pieces, resulting in better returns or more time spent elsewhere.

Continue down this path long enough, and you have... automation, which you despise.

I'm confused...maybe we must do it the hard way? To me, that seems to be the common opinion of people who despise 
'script kiddies' when in fact they may be more efficient than someone sticking to their manual tools?

I'm not saying automation should replace human pen-testers; absolutely not! But take care to include both and not just 
despise one because it may be below you or easy or less accurate. Your real argument is with people who accept those 
automated reports as religion...and I don't think you'll find any of those people on this list or in your audience. 
Don't shoot automated testing just because some people use only them for their checklist security.


Cheers!


<- snip ->

Never the less automated scanning doesn't produce an accurate  
deliverable. That is in fact impossible. Manual testing can produce a  
very accurate deliverable if its done right with the right  
methodology.  Hence my gripe with any security provider that offers  
services whose products are the direct result of automated testing.