PaulDotCom mailing list archives
Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions?
From: pjmcgarvey at gmail.com (PJ McGarvey)
Date: Wed, 29 Oct 2008 10:46:14 -0400
Haven't listened yet either, but it sounds like the same spiel he was giving on another podcast this past summer, maybe it was Silver Bullet. Marcus seems almost too rational and logical to me sometimes, but I think he is putting the focus on the right thing, software design and execution... fixing things at the source. But I can relate this scenario to AV in that just because our Enterprise AV program says it stopped or deleted a virus, it's still a very good idea to make sure that there is no evidence of it on a system. Don't trust the software to tell you what it thinks is true, be paranoid. If it's one thing I've learned so far in security, it's that software will never be perfect. So the same with pentesting, you may think you've got a great piece of software (or a security-minded user base) until a skilled person with the right tools gets a crack at them, there's no telling. -PJ 2008/10/29 Bugbear <gbugbear at gmail.com>
So I was listening to the Risky Business Podcast this AM (#85) on my commute in (right after finishing part II of pauldotcom) and they had Tenable Network Security's CSO Marcus Ranum on. Marcus stated that he felt tools such as Core and Metasploit had no usefulness in pen test. He emphasised that a design review and vulnerability scanning should be enough. While I may have misunderstood his statements and I do agree design/config reviews and vulnerability scanning needs to be the first and second step of any regular review, pen test, etc... I completely disagree on his comments on using such aforementioned tools in conjunction with products such as Nessus. i.e. Nessus is not going to tell me if my blackberry user is connecting to free wifi and is vulnerable to Karma, etc.. Thoughts, comments, opinions? Interested in what the viewpoint of the broad background of pauldotcom listeners! Or maybe someone can clarify his comments for me. Tim _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20081029/67a6448b/attachment.htm
Current thread:
- Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions? Bugbear (Oct 29)
- Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions? Jack Daniel (Oct 29)
- Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions? Arch Angel (Oct 29)
- Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions? Arch Angel (Oct 29)
- Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions? Jack Daniel (Oct 29)
- Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions? PJ McGarvey (Oct 29)
- Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions? Paul Asadoorian (Oct 30)
- Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions? Jack Daniel (Oct 29)