Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Flash that simulates virus scan

From: "Michael Neal Vasquez" <mnv () alumni princeton edu>
Date: Wed, 31 Oct 2007 15:35:30 -0700
It's valid IMO, but also depends on the client expectations.  At the outset,
the parameters of what's being tested should be well outlined.  Some clients
prefer purely technical measures for penetration.  Others are open to a
complete (i.e. SE included) test.  Obviously a better choice, but I always
had 2 goals in the complete test: A) Purely technical intrusion & B)
Intrusion via SE.  Cover your bases, open their eyes.

Show them a) the need for vigilant employee training and security awareness
programs, and
b) that their infrastructure has its own stand-alone holes as well....




On 10/31/07, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:


On Wed, 31 Oct 2007 16:56:20 CDT, reepex said:

resulting to se in a pen test cuz you cant break any of the actual

machines?

Lots of *actual* compromises happen the same exact way - resorting to SE.
As such, if a pen test doesn't cover the same territory, it's incomplete.

"Yes, your house is secure - we checked all the doors and they're up to
snuff.
We however didn't check if you'll open the door *anyhow* if the landshark
on
the other side says 'Landshark', leading to everybody getting eaten."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: