Dailydave mailing list archives
Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes)
From: "Paul Melson" <pmelson () gmail com>
Date: Mon, 13 Nov 2006 16:57:43 -0500
-----Original Message----- Subject: Re: [Dailydave] "The organization I belong to doesn't have initals"(that evil dude in Heroes)
When I was a consultant my shtick was that a "pen-test" is a complete
waste of time if you don't have
your other ducks in line. This was based on the un-scientific research
conducted by myself that
basically concluded that 99/100 pen-tests are almost always successful.
So, I could tell the client,
without even looking at their network that there was a 99% chance that
they could be compromised by
either a pen-test team or malicious individual. So why spend your already
small budget on something
that has results that can be assumed.
That's a misleading way to frame the conversation, don't you think? A pen-test isn't supposed to answer the yes/no question, "Can you be hacked?" It's supposed to ask the open-ended questions, "How can you be hacked?" and "How can you fix it?"
Don't get me wrong, there is a huge value in pen-tests especially when you
have someone with real skills
(not someone who simply tells you about your ICMP timestamps as Dave said)
doing a pen-test for you but
why not have this sort of work done after you have done the compliance and
patch management dance. Only
then will it bring out the real value which, as Dave said, is popping zero
days in your infrastructure
instead of simply telling you that you need to patch more. The other
caveat here of course is that
there is no use in popping zero day on someone if you are unable to help
them actually remediate the
risk and protect from it.
Yes! Why spend energy finding new bugs when you're in no position to fix the ones you already know about? It's very much putting the cart before the horse.
PS: Don't even get me started on my rant on the "ICMP timestamp" guys. Dave and the rest of you in the pen-test game should be eating those guy's
lunch among other things.
Especially in this day and age.
Except that companies do 3rd-party pen-tests for reasons other than security, like compliance. Also, differentiating between the work done by Immunity and, say, Qualys* is a customer education issue. Oh, and don't forget the almighty dollar - because that's an easy way to tell Immunity and Qualys apart that doesn't hurt Qualys' business one bit. PaulM * Totally not picking on Qualys, but I figure I'm less likely to offend their software than if I named a firm that sells consulting engagements. :) _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- "The organization I belong to doesn't have initals" (that evil dude in Heroes) Dave Aitel (Nov 12)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Tito Villalobos (Nov 13)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Pete Herzog (Nov 13)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Steve Manzuik (Nov 13)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Paul Melson (Nov 13)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Steve Manzuik (Nov 13)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Olef Anderson (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Nicolas RUFF (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) David Maynor (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Daniel (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Siim Põder (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Matt Richard (Nov 15)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) dan (Nov 16)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Rhys Kidd (Nov 16)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Matt Richard (Nov 16)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Tito Villalobos (Nov 13)