Educause Security Discussion mailing list archives
Re: Penetration Testing Software
From: randy marchany <marchany () VT EDU>
Date: Wed, 11 Mar 2009 14:55:37 -0400
We use the following pen test software: 1. Commercial - Core Impact. Great but expensive. They are willing to work with EDUs. 2. Freeware - Metasploit. I recommend using this first to get practice and experience before evaluating commercial software. -r. On Wed, Mar 11, 2009 at 2:44 PM, Curt Wilson <curtw () siu edu> wrote:
James R. Pardonek wrote:We are looking at penetration testing, either by a third party or by using purchased software in-house. I was curious what others were doing, some costs and issues.We use nmap and other tools to get things started, combined with Nessus with a commercial feed, metasploit, core impact (we are fortunate to have it) and have also used SPI Dynamics WebInspect for web apps, and Application Security's AppDetective for some database assessment in the past. We used Immunity's CANVAS in the past but have let the license lapse, it's a nice tool but Core's reporting features are much nicer and plus Core is easier and faster to use. I see pentesting and assessment as complementary and often merge them together for the sake of delivering the highest value. These tools are excellent in the right hands and speed things up considerably. That being said there is no substitute for a skilled assessor. I'm sure we've all found issues that the scanners did not. They only go so far, and have various issues with coverage and depth. I've found that attackers will go further in many cases, and skilled pentesters can go much further. I've met several of the folks from InGuardians and they are very good, as are the people at Core security. When I was a consultant, pentesting and assessment was an area I specialized in. It takes a lot of time to do right and to keep up with, so if you have the $ I'd suggest outsourcing it unless you have some skilled and motivated staff.Thanks, James R. Pardonek, CISSP Senior Network Administrator Network Infrastructure Management and Maintenance Computing Technology and Information Services Purdue University Calumet Hammond, Indiana-- Curt Wilson SIUC IT Security Officer & Security Engineer
Current thread:
- Penetration Testing Software James R. Pardonek (Mar 09)
- <Possible follow-ups>
- Re: Penetration Testing Software Daniel Bennett (Mar 10)
- Re: Penetration Testing Software Karen Stopford (Mar 10)
- Re: Penetration Testing Software Joel Rosenblatt (Mar 10)
- Re: Penetration Testing Software Axworthy, Heather (Mar 10)
- Re: Penetration Testing Software Jay Tumas (Mar 10)
- Re: Penetration Testing Software Rue, Brian R. (Mar 10)
- Re: Penetration Testing Software King, Ronald A. (Mar 10)
- Re: Penetration Testing Software David Grisham (Mar 10)
- Re: Penetration Testing Software Curt Wilson (Mar 11)
- Re: Penetration Testing Software randy marchany (Mar 11)
- Re: Penetration Testing Software Christopher Jones (Mar 11)