Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes)

["Paul Melson" <pmelson () gmail com>]

-----Original Message-----
Subject: Re: [Dailydave] "The organization I belong to doesn't have
initals"(that evil dude in Heroes)

> When I was a consultant my shtick was that a "pen-test" is a complete
waste of time if you don't have 
> your other ducks in line.  This was based on the un-scientific research
conducted by myself that 
> basically concluded that 99/100 pen-tests are almost always successful.
So, I could tell the client, 
> without even looking at their network that there was a 99% chance that
they could be compromised by 
> either a pen-test team or malicious individual.  So why spend your already
small budget on something 
> that has results that can be assumed.

That's a misleading way to frame the conversation, don't you think?  A
pen-test isn't supposed to answer the yes/no question, "Can you be hacked?"
It's supposed to ask the open-ended questions, "How can you be hacked?" and
"How can you fix it?"   


> Don't get me wrong, there is a huge value in pen-tests especially when you
have someone with real skills 
> (not someone who simply tells you about your ICMP timestamps as Dave said)
doing a pen-test for you but 
> why not have this sort of work done after you have done the compliance and
patch management dance.  Only 
> then will it bring out the real value which, as Dave said, is popping zero
days in your infrastructure 
> instead of simply telling you that you need to patch more.  The other
caveat here of course is that 
> there is no use in popping zero day on someone if you are unable to help
them actually remediate the 
> risk and protect from it.  

Yes!  Why spend energy finding new bugs when you're in no position to fix
the ones you already know about?  It's very much putting the cart before the
horse.


> PS: Don't even get me started on my rant on the "ICMP timestamp" guys.
> Dave and the rest of you in the pen-test game should be eating those guy's
lunch among other things.  
> Especially in this day and age.

Except that companies do 3rd-party pen-tests for reasons other than
security, like compliance.  Also, differentiating between the work done by
Immunity and, say, Qualys* is a customer education issue.  Oh, and don't
forget the almighty dollar - because that's an easy way to tell Immunity and
Qualys apart that doesn't hurt Qualys' business one bit.

PaulM

* Totally not picking on Qualys, but I figure I'm less likely to offend
their software than if I named a firm that sells consulting engagements. :)


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave