Re: Defending the honor of...penetration testing tools

[Anton Chuvakin <anton () chuvakin org>]

On Tue, Feb 12, 2013 at 9:50 PM, Dave Aitel <dave () immunityinc com> wrote:

>  So as you can see below, I'll be at RSA asking Andrew Jaquith why on
> earth he thinks penetration testing tools are evil. To be honest, I have no
> idea. Does that also imply penetration testing is evil, or is he saying
> that penetration testing tools make people lazy and therefor you get better
> penetration tests without them, in which case I'll try to get him to write
> his future papers without a keyboard or something.


Well, I can't say why he thinks they are evil, but I often thought that
their NAME is. Often, when I hear people say "penetration testing tools"
they *automatically* assume that "running that tool == penetration test."
After all, "X tool" in many minds means "tools that does X."  Penetration
tools, last time I checked, don't DO penetration testing. Humans do.  You
can insert all the jokes about stupid people and all, but this sentiment is
very, very contagious.

Therefore I often avoided naming them in my work and instead used
some kludge like "exploitation tools", or (please don't laugh) "tools
[somewhat] helpful during penetration testing."

-- 
Dr. Anton Chuvakin
Site: http://www.chuvakin.org
Twitter: @anton_chuvakin
Work: http://www.linkedin.com/in/chuvakin

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave