Security Basics mailing list archives
Re: Metrics for Ethical Hack
From: Vic Vandal <vvandal () well com>
Date: Fri, 14 Mar 2014 12:30:53 -0700 (PDT)
Hi Monika, There are tools that will run 20,000-30,000 multi-threaded string attacks on an entire crawled website within a couple of hours. How fast can you type web requests and analyze web responses in comparison? (heh) You also wrote "review code" in your message. If you're reviewing source code, how fast can you read and interpret thousands and thousands of lines of code and compare it to say a dozen common coding mistakes, versus how fast an automated tool can do the same? There really is no comparison. The tool always wins by a mile in the amount of time taken. But the automated tool will also always have some limitations, and deep manual testing by a true expert can often find a few things that 9 out of 10 automated tools won't. But the automated tools will still find a lot, where a lot of issues exist. Sorry I didn't provide any actual metrics as requested. But if you do the math on that first sentence you can see that it's at least weeks of efforts versus mere hours. If you have one website to audit maybe that's not a big deal. If you have a dozen or a hundred websites that you need to audit every few months (or twice a year or whatever) then the usage of automated tools is the only way to accomplish the task. You simply can't clone yourself to try to match the processing power of the machine. And even if you could clone yourself or hire tons of staff, what's the cost comparison then? Also does your capability and experience match that of the tool developers? Food for thought. -Vic ----- Original Message ----- From: "mc" <mccansecure () gmail com> To: security-basics () securityfocus com, webappsec () securityfocus com, forensics-help () securityfocus com, focus-virus-help () securityfocus com, secureshell-help () securityfocus com, pen-test-help () securityfocus com, loganalysis-help () securityfocus com, honeypots-help () securityfocus com, security-basics-help () securityfocus com, webappsec-help () securityfocus com, webappsec-help () securityfocus com Sent: Friday, March 14, 2014 9:12:20 AM Subject: Metrics for Ethical Hack Hi All I am interested to know if there is any metric used to measure amount of time it takes to manually review code vs. using a tool. Any opinion will be appreciated. Thanks Monika Chakraborty ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Metrics for Ethical Hack mc (Mar 14)
- Re: Metrics for Ethical Hack Vic Vandal (Mar 17)