Security Basics mailing list archives
Re: SkillSet for Pen Tester
From: AK <platsakos () gmail com>
Date: Mon, 27 Jun 2011 09:50:18 +0300
Given the scenario presented by the original author (OA from now on) that someone who is "not possible for him to be an expert or at least *have knowledge* of these"(emphasis mine) is actually pen-testing a network, I beg to differ. The OA mentioned an expansive stack (which gets even more expansive once you take into account differences between revisions) as well as custom software etc. He also added what is one of the main differences between a cracker and a pentester: crackers have infinite time (and scope!), limited only by their interest on said target, whereas pen-testers at some point cannot allocate any more time, finish up their deliverable reports and move on to the next pentest. Assuming that the network has the low hanging fruit covered (i.e. it has been pen-tested before), the only way for the attacking team to approximate the lengths that a determined attacker will go (they are called APTs nowadays, don't they?)is to have a pool of specialised per technology pen-testers, a broad scope and ample time, which unfortunately is not always the case, due to practical considerations. If this is not the case, then what you and the OA suggests by essence is a fallback into vulnerability discovery territory ("find _everything_ even things that are only *theoretically* vulnerable" (emphasis mine) or "one way is to perform trail(sic!)&error on each and every exploit for that technology available in google"), which, while valid as its own field, is not what pen-testing is about (and has been discussed to death to be honest). On 06/26/2011 05:40 AM, Rob wrote:
That is the worst mindset you can have. As a pen tester, you need to find _everything_, even things that are are only theoretically vulnerable. Depending on the scope of the pentest, you also need to be able to give recommendations for not only security, but also for assurance and regulatory compliance. Rob Sent via BlackBerry by AT&T -----Original Message----- From: AK <platsakos () gmail com> Sender: listbounce () securityfocus com Date: Thu, 23 Jun 2011 03:45:00 To: Vedantam Sekhar<vedantamsekhar () gmail com> Cc: <security-basics () securityfocus com> Subject: Re: SkillSet for Pen Tester As a pen-tester, you just need to find one issue with the technology stack, as opposed to being an expert. On 06/17/2011 06:31 PM, Vedantam Sekhar wrote:Hi Group, When a tester start the assessment on his client's network, he encounter various technologies, services, protocols, applications built on various technologies(Java, asp, iis, apache, tomcat, ERP,SAP) which he needs to attack. Obviously it may not be possible for him to be a expert or atleast have knowledge on these. In this scenerio what approach to follow in the limited time window mutually agreed by client&tester? Obviously oneway is to perform trail&error on each and every exploit for that technology available in google. Thnx, Sekhar ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
-- What is the air-speed velocity of an unladen swallow? ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: SkillSet for Pen Tester AK (Jul 02)
- <Possible follow-ups>
- Re: SkillSet for Pen Tester pleed (Jul 02)