nanog mailing list archives
Re: Penetration Test Assistance
From: Jason 'XenoPhage' Frisvold <xenophage () godshell com>
Date: Tue, 5 Jun 2012 14:05:06 -0400
On Jun 5, 2012, at 12:52 PM, Peter Kristolaitis <alter3d () alter3d ca> wrote:
In general, my experience with most "pen testers" is a severe disappointment, and isn't anything that couldn't be done in-house by taking the person in your department who has the most ingrained hacker/geek personality, giving them Nessus/Metasploit/nmap/etc, pizza and a big ass pot of coffee, and saying "Find stuff we don't know about. Go.". There is the occasional pen tester who is absolutely phenomenal and does the job properly (i.e. the guys who actually write their own shellcode, etc), but the vast majority of "pen testers" just use automated tools and call it a day. Like everything else in IT, security has been "commercialized" to the point where finding really good vendors/people is hard, because everyone and their mom has CEH, CISSP, and whatever other alphabet soup certifications you can imagine.
There are definitely a number of incredible pen-testers out there. But I agree with Peter… If you end up with a "report" that's nothing more than an executive statement pasted at the top of a Nessus report, then you've wasted your money. To be honest, I'd recommend getting a sample report from the company and quiz them on it before committing to a contract with them. --------------------------- Jason 'XenoPhage' Frisvold xenophage () godshell com --------------------------- "Any sufficiently advanced magic is indistinguishable from technology." - Niven's Inverse of Clarke's Third Law
Current thread:
- Penetration Test Assistance Green, Timothy (Jun 05)
- Re: Penetration Test Assistance Andrew Latham (Jun 05)
- Re: Penetration Test Assistance Peter Kristolaitis (Jun 05)
- Re: Penetration Test Assistance Jason 'XenoPhage' Frisvold (Jun 05)
- Re: Penetration Test Assistance Brett Watson (Jun 05)
- Re: Penetration Test Assistance Bacon Zombie (Jun 05)
- Re: Penetration Test Assistance Peter Kristolaitis (Jun 05)
- Re: Penetration Test Assistance Peter Kristolaitis (Jun 05)
- Re: Penetration Test Assistance Andrew Latham (Jun 05)
- Re: Penetration Test Assistance Justin M. Streiner (Jun 05)
- Re: Penetration Test Assistance jim deleskie (Jun 05)
- Re: Penetration Test Assistance Joel jaeggli (Jun 05)
- Re: Penetration Test Assistance Quinn Kuzmich (Jun 05)
- RE: Penetration Test Assistance Baklarz, Ron (Jun 05)
- Re: Penetration Test Assistance dennis (Jun 05)
- Re: Penetration Test Assistance William Herrin (Jun 05)