Re: So when will the end of pen-tests begin?

["David Maynor" <dave () erratasec com>]

I can't see pentests ending anytime soon. Now besides just a general
sense of fear they are being driven by different things like compliance
issuses. To be honest the result of the pentest seems less important to
people than filling the checkbox that they have had one done. I think
that there has been a huge shift in the focus of pentests lately, no
longer do most clients seem happy in paying for a simple report that
says "Dud3 y0ur 0wn3d!" I think as time goes on pentests, site
assessments, and blackbox app assessments will merge which should put
more pressure on vendors to fix these problems.

 

________________________________

From: dailydave-bounces () lists immunitysec com
[mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Isaac
Dawson
Sent: Wednesday, November 22, 2006 11:48 PM
To: Dailydave () lists immunitysec com
Subject: [Dailydave] So when will the end of pen-tests begin?

 

After reading Havlar's post on the 'end is near' of MSOffice bugs. It
made me start thinking about when
the end of pen-tests will begin. I don't know about the rest of you but
I've seen huge differences in the types
of issues that are being found on thin/thick application pen tests.
Before it was very common to pretty much
completely take control of servers. Although this does still happen, not
nearly as much as before. Obviously 
this really depends on how mature the customers are and how many
previous tests they've had.

So when will these tests end? 5-10 years? 20? I know we will 'always'
need security validation, but will customers
be willing to spend the (sometimes insanely overpriced) amount for these
types of tests?
Is anyone else thinking about what they will do next? :)
-Isaac

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave