Penetration Testing mailing list archives
Re: Why Penetration Test?
From: Pete Herzog <lists () isecom org>
Date: Thu, 16 Jun 2005 10:18:37 +0200
Hi,
intel96 wrote: One question I have not seen yet concerning is why PenTest is: To
justify your job and a budget. It's not uncommon to meet ethical challenges on any job. Fudging data to meet your economic gains or to help someone else do so always becomes a harder decision when the economic gains increases. The argument is also true that if yu don't help them achieve their goals then they will find someone else who will as the world is full of financially rewarded yet ethically-challenged people. And business is business, right? And it's not like you're a doctor, right? I just finished the Foreword to a college textbook focused heavily on OSSTMM Security Testing due out in September/October from Thomson Learning where I challenge this notion as a non-personal one because we are all reliant on each other when it comes to security (unless you happily spend your days out of the sun in your deep, self-sustaining bomb shelter). A small quote so I don't have to put forward the challenge again: "We are all victims of other people’s bad security decisions all the time. At best it’s just the inconvenience of the security guard checking our receipt as we leave the store. At worst, there’s no limit to the annoyances, inconveniences, problems, deaths, and destruction that can result. I don’t want to be in that position where I failed to open your eyes to the problem only to have it become my problem. I don’t know where any of you will be in 5 or 10 years but I’m sure even if you are not a security professional you will have the ability to affect security in my life through commentary, decision, vote, or inaction."
Now the biggest questions that I get from the customer is how did you
bypass by filters (IDS, IPS) and I need you to >rewrite the final report so I can obtain more funding.........to buy more security and hire more people.....the biggest hole >that I found was the lack of security internal process. These things require leadership to fix not more funding!!!!!!!!! >How do you state that in a report? By pointing out the processes which failed rather than the equipment. Analysis will show the clear cause and effect in many of these situations and while it may be leadership, you may have more success by building a case but stops short of finger-pointing unless you really know 100% that it is leadership alone that causes the problems. Base your report on facts and objective analysis of those facts.
So IMHO every project is different based on the customer's needs (more
funding and more head count). The other issue is >how to set the clowns apart from the professionals, which is becoming harder to do because there are more clowns and not >enough professional and the clowns are hurting the rest of us.... Every project is different but how much you are willing to sell your compromised integrity for should be static. Treat every project like it's the one you may be remembered for and try to make sure you're clear with yourself and your company what exactly you want to be remembered for. If you want to be different from the clowns then you can't let economic gain differentiate for you. The sad truth is that there's a lot of rich clowns with wonderful lives. Sincerely, -pete. -- Pete Herzog - Managing Director - pete () isecom org ISECOM - Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org ------------------------------------------------------------------- ISECOM is the OSSTMM Professional Security Tester (OPST), OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool Teacher certification authority.
Current thread:
- RE: Why Penetration Test?, (continued)
- RE: Why Penetration Test? Tony Tulio (Jun 10)
- Re: Re: Why Penetration Test? tarunthenut (Jun 13)
- Re: Why Penetration Test? Terry Vernon (Jun 13)
- Re: Why Penetration Test? Gareth Davies (Jun 13)
- Re: Why Penetration Test? Tarun The Nut (Jun 14)
- Re: Why Penetration Test? Gareth Davies (Jun 14)
- Re: Why Penetration Test? intel96 (Jun 16)
- AW: Why Penetration Test? Jörg Maaß (Jun 16)
- Re: Why Penetration Test? R. DuFresne (Jun 16)
- Re: Why Penetration Test? rmeijer (Jun 17)
- Message not available
- Re: Why Penetration Test? Pete Herzog (Jun 16)
- RE: Why Penetration Test? Erin Carroll (Jun 16)
- Re: Why Penetration Test? Pete Herzog (Jun 13)
- Re: Why Penetration Test? intel96 (Jun 30)