Firewall Wizards mailing list archives
Re: Penetration testing via shrinkware
From: Bill_Royds () pch gc ca
Date: Thu, 3 Sep 1998 14:54:32 -0400
What are the opinions on the thoroughness of shrink-wrap software penetration testing? Is today's shrinkware more capable for penetration testing (a single machine) than a human?
I guess it depends on the human! :) Can a program do a better job of testing than a lame, clueless human? Sure! Can a program do a better job of testing than a fairly experienced security guru? No. Can a program do a better job of testing than an 3ll33t? No. mjr. Shrinkware should not be used instead of a proper penetration testing exercise but as a first step. Essentially shrinkware encapsulates some standard methods of testing so that one does not have to re-invent the wheel for each system that one wants to examine. Today's software will remember far more detail than any human could and expresses the sum of knowledge of many individuals. It helps the practitioner find the obvious flaws so that he or she can spend more effort examining the more subtle problems like systems ability to monitor attacks so that it doesn't cry wolf to often nor ignore real attacks. They are not a lamer if they use shrinkwrap, but they are if the assume that that is all their is to testing. If shrinkwap software finds problems, then you know the system is flawed. But if shrinkwrap doesn't find problems, that implies you have at least a start on where to look and can avoid waisting time in obvious places. It doesn't mean there are no problems, just that you will have to do your job with a good starting point.
Current thread:
- Re: Penetration testing via shrinkware, (continued)
- Re: Penetration testing via shrinkware Crispin Cowan (Sep 18)
- Re: Penetration testing via shrinkware Ted Doty (Sep 19)
- Re: Penetration testing via shrinkware tqbf (Sep 19)
- Re: Penetration testing via shrinkware Dave Whitlow (Sep 19)
- Re: Penetration testing via shrinkware Christopher Nicholls (Sep 19)
- Re: Penetration testing via shrinkware Adam Shostack (Sep 20)
- Re: Penetration testing via shrinkware Ivan Arce,CORE SDI (Sep 23)
- Re: Penetration testing via shrinkware tqbf (Sep 21)
- Re: Penetration testing via shrinkware Crispin Cowan (Sep 19)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 21)