PaulDotCom mailing list archives
Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions?
From: arch3angel at gmail.com (Arch Angel)
Date: Wed, 29 Oct 2008 10:33:25 -0400
I have seen in the past were people who did not know the results of poor choices have their minds turned around by things such as the live results of a scan. For example, while I was in the Army commanders knew nothing about computers let alone security, I simply educated them and showed them the results of poor choices, that is something they took that with them. In a perfect world we would not need these tools, however in the real world I believe we need education, and more so those who educate. If we, the professionals of the world, no matter your profession fail to bring examples from the real world into our educational programs then we not only fail that person we fail as an educator. "Give the man a binary and he plays for days. Give him source and he plays for life!" Show them the real world examples and help educate them on prevention, if all else fails beat them really hard. Just kidding.... On Wed, Oct 29, 2008 at 10:15 AM, Jack Daniel <jackadaniel at gmail.com> wrote:
One thing Marcus said which I think is dead on is that if you have to "rub someone's nose in it" to convince them they have a problem (actually exploit a vuln and compromise something) we're already screwed. How do you create a secure environment if decision makers minds are set to default-ignore? If I were an optimist, I would say people learn and change. Then again, if I were an optimist, this would be a poor career choice. Jack 2008/10/29 Bugbear <gbugbear at gmail.com>:So I was listening to the Risky Business Podcast this AM (#85) on mycommutein (right after finishing part II of pauldotcom) and they had Tenable Network Security's CSO Marcus Ranum on. Marcus stated that he felt tools such as Core and Metasploit had no usefulness in pen test. He emphasised that a design review and vulnerability scanning should be enough. While I may have misunderstood his statements and I do agreedesign/configreviews and vulnerability scanning needs to be the first and second stepofany regular review, pen test, etc... I completely disagree on hiscommentson using such aforementioned tools in conjunction with products such as Nessus. i.e. Nessus is not going to tell me if my blackberry user is connecting to free wifi and is vulnerable to Karma, etc.. Thoughts, comments, opinions? Interested in what the viewpoint of thebroadbackground of pauldotcom listeners! Or maybe someone can clarify his comments for me. Tim _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- ______________________________________ Jack Daniel, Reluctant CISSP http://blog.uncommonsensesecurity.com http://www.linkedin.com/in/jackadaniel _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20081029/bb9a2487/attachment.htm
Current thread:
- Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions? Bugbear (Oct 29)
- Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions? Jack Daniel (Oct 29)
- Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions? Arch Angel (Oct 29)
- Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions? Arch Angel (Oct 29)
- Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions? Jack Daniel (Oct 29)
- Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions? PJ McGarvey (Oct 29)
- Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions? Paul Asadoorian (Oct 30)
- Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions? Jack Daniel (Oct 29)