Re: SkillSet for Pen Tester

[AK <platsakos () gmail com>]

Given the scenario presented by the original author (OA from now on)
that someone who is "not possible for him to be an expert or at least
*have knowledge* of these"(emphasis mine) is actually pen-testing a
network, I beg to differ.

The OA mentioned an expansive stack (which gets even more expansive once
you take into account differences between revisions) as well as custom
software etc. He also added what is one of the main differences between
a cracker and a pentester: crackers have infinite time (and scope!),
limited only by their interest on said target, whereas pen-testers at
some point cannot allocate any more time, finish up their deliverable
reports and move on to the next pentest. Assuming that the network has
the low hanging fruit covered (i.e. it has been pen-tested before), the
only way for the attacking team to approximate the lengths that a
determined attacker will go (they are called APTs nowadays, don't
they?)is to have a pool of specialised per technology pen-testers, a
broad scope and ample time, which unfortunately is not always the case,
due to practical considerations. If this is not the case, then what you
and the OA suggests by essence is a fallback into vulnerability
discovery territory ("find _everything_ even things that are only
*theoretically* vulnerable" (emphasis mine) or "one way is to perform
trail(sic!)&error on each and every exploit for that technology
available in google"), which, while valid as its own field, is not what
pen-testing is about (and has been discussed to death to be honest).


On 06/26/2011 05:40 AM, Rob wrote:
> That is the worst mindset you can have.
>
> As a pen tester, you need to find _everything_, even things that are are only theoretically vulnerable. Depending on 
> the scope of the pentest, you also need to be able to give recommendations for not only security, but also for 
> assurance and regulatory compliance.
>
> Rob
> Sent via BlackBerry by AT&T
>
> -----Original Message-----
> From: AK <platsakos () gmail com>
> Sender: listbounce () securityfocus com
> Date: Thu, 23 Jun 2011 03:45:00 
> To: Vedantam Sekhar<vedantamsekhar () gmail com>
> Cc: <security-basics () securityfocus com>
> Subject: Re: SkillSet for Pen Tester
>
> As a pen-tester, you just need to find one issue with the technology
> stack, as opposed to being an expert.
>
> On 06/17/2011 06:31 PM, Vedantam Sekhar wrote:
> > Hi Group,
> >
> > When a tester start the assessment on his client's network, he
> > encounter various technologies, services, protocols, applications
> > built on various technologies(Java, asp, iis, apache, tomcat, ERP,SAP)
> > which he needs to attack. Obviously it may not be possible for him to
> > be a expert or atleast have knowledge on these. In this scenerio what
> > approach to follow in the limited time window mutually agreed by
> > client&tester? Obviously oneway is to perform trail&error on each and
> > every exploit for that technology available in google.
> >
> > Thnx,
> > Sekhar
> >
> > ------------------------------------------------------------------------
> > Securing Apache Web Server with thawte Digital Certificate
> > In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> > how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> > purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> > set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> > certificates.
> >
> > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> > ------------------------------------------------------------------------

-- 
What is the air-speed velocity of an unladen swallow? 


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------