Penetration Testing mailing list archives
RE: Penetration tester or Ethical hacker future?
From: "Paul Melson" <pmelson () gmail com>
Date: Thu, 30 Aug 2007 11:37:33 -0400
Now the question, I really want to know what is your thought on where the
penetration testing market is going? I'd say that the pen-test market as we know it today has another 5-10 years on its feet thanks to regulations like PCI. Eventually companies will lose interest for any number of potential reasons: 1. They figured out Internet service security and got bored with empty reports. 2. They bought a scanner and brought it all in house. (Nessus runs on Windows now!) 3. They get owned despite clean pen-test reports and now think it's a waste of money. This will leave pen-testers to fight over the emerging security QA market. Instead of pen-testing a company's network, you'll pen-test their product. In its early stages, this will separate the men from the boys, so to speak. But eventually black/grey box testing tools like fuzzers and debuggers will get slick GUI's and scripted test suites, too.
Will the penetration tester job description will change over time because
of the evolution of automated tools? It already has. It's a done deal. Any pen-test shop that tells you they don't use ISS, Nessus, Rapid7, or Qualys is lying. The good shops hire good people and write custom tools in addition to the commercial scanners. The bad ones just overcharge for a pretty binder. Unfortunately, the bad outnumber the good 10:1.
Do you think it's worth the effort to train and keep people in the company
for doing pen testing? What I mean
by this is say - an average skill penetration testing costs say 60k/year +
20k of automated tools = 80k/year
-> can deliver quality say 70% VS - someone with highly skilled that cost
to the organization 150k whilst can
deliver quality say 90% If at the end COMPLIANCE is still the main driving
for penetration testing.
Should we say Quality is the 2nd priority?
Only if organizationally compliance is the first priority, which it shouldn't be, but often is. Most companies do not benefit from having a Dave Aitel or Dan Kaminsky on their internal staff. It makes more sense to hire them to beat up on the new stuff and/or the important stuff and supplement that work with cheaper scanning-tool based work done in-house.
The reason why I asked this question is because I notice that Virus
Analyst position only available if you are
working in the Anti-virus Vendor such as Mcafee, Symantec, etc While Big
organization usually employ Anti-
virus administrators as opposed to Virus Analyst? I strongly believe the
reason for this is because Anti-virus
market has matured and people are more and more relying on Anti-virus
Software. Has anti-virus software solved
the problem? No of course, since there still many new viruses coming out
every second. I am not sure this is
the correct analogy or not but I hope you get the point.
Actually, I think it's a pretty good analogy. AV software and vulnerability scanners work very similarly. They look for known patterns either in recorded data or system behavior. And there are big detection gaps in both of these approaches that, for now at least, can only be covered by talented hands. PaulM ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Auditing microsoft IIS 5/6.0 Nikolaj (Aug 28)
- Re: Auditing microsoft IIS 5/6.0 Nikhil Wagholikar (Aug 28)
- Penetration tester or Ethical hacker future? IRM (Aug 29)
- Re: Penetration tester or Ethical hacker future? David Jacoby (Aug 30)
- RE: Penetration tester or Ethical hacker future? Paul Melson (Aug 30)
- Re: Penetration tester or Ethical hacker future? Nikos Tsagarakis (Aug 31)
- RE: Penetration tester or Ethical hacker future? Paul Melson (Aug 31)
- Penetration tester or Ethical hacker future? IRM (Aug 29)
- Re: Auditing microsoft IIS 5/6.0 Nikhil Wagholikar (Aug 28)
- Re: Auditing microsoft IIS 5/6.0 rajat swarup (Aug 29)
- Re: Auditing microsoft IIS 5/6.0 Ivan . (Aug 30)
- Re: MS Access injection Gichuki. John (Aug 30)