Re: Using 0days as part of pen-test?

[Oliver Schad <oliver.schad () oschad de>]

Am Mittwoch, 14. Januar 2009 schrieb mir purdy () tecman com:
> Good points Pete. But since the sub: caught my attention, I thought I
> would point out (if it has not already been done) that 0-day tests, by
> definition, cannot test anything other than the quality of the
> anomaly-based detection system.  

That's not right - if you have a security concept which guarantees 
security in depth, you should get access to a system with only less 
important data and a low position of trust.

I know that you can't guarantee that in many cases on every part in a 
network but you should build a concept with security in depth in mind.

The general question is: What do you want to test, what do you want to 
prove? Do you want to show how hard it is to get important data und 
compromise important systems? If this is your mission then you should 
choose all weapons you have.

If you want to check software updates,  selection of software and critical 
configurations of software why do you make a pen test? In this case I 
think you should ask the system administrator for an account to get 
access to all systems to check all software installed and all 
configuations. It's the much easier way to check this.

Regards
Oli

Attachment: signature.asc
Description: This is a digitally signed message part.