Re: White box pentesting

[Joey Peloquin <joeyp () cotse net>]

dimkovtrajce () yahoo com wrote:
> Hi pentesters,
>
> i am planing to spend a considerate time of my phd (3 years) on developing a model/algorithm/tool that will help pen 
> testers during white box penetration testing where they look at physical security of the building as well as pentesting 
> when they are allowed to use social engineering. Before I start, i would like to know:
>
> 1. How often do you do whitebox pentesting?
> 2. How often are you pentesting physical security as part of the test?
> 3. how often are you allowed to use social engineering as part of the test?
>
> It will help me decide if i should continue working on this field, or switch to another.
>
> Thank you in advance,
> Dimkov

Hey Dimkov,

1. Rarely
2. Never
3. Almost never

In my experience, companies usually already know that physical security and 
susceptibility to social engineering are their weak spots, and aren't 
interested in paying us to tell them what they already know.

Furthermore, the vast majority of companies out there have a "check in the 
box" mentality and therefore do the bare minimum to satisfy whatever 
requirement is motivating them to do a PT in the first place.  There are 
exceptions, of course, but day to day, I find this to be the prevailing 
attitude.

Good luck with your project.

-jp

--
"Companies will say, "We can Web 2.0ify your existing applications in 15 
minutes - we've got a wrapper".  These people are charlatans, and you should 
punch them in the face.  They are taking your back-end database tiers and 
moving them to the perimeter." - Billy Hoffman, HPSW Security Labs

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------