Penetration Testing mailing list archives
Re: Penetration Testing Services
From: BMF <badmotherfsckr () gmail com>
Date: Tue, 3 Aug 2010 00:04:29 -0700
On Mon, Aug 2, 2010 at 4:18 AM, cribbar
Penetration Testing Community - I am interested in getting an expert response to a discussion that keeps raising up in our company.
Then I suggest paying a reputable pen-test company for their expert opinion. All you are likely to get here are half-assed amature replies such as this one.
I’ve spent a couple of hours on the Nessus website looking at the types of “vulnerability” it will catch, and it seems to cover a whole array of topics and security issues. This leads to the inevitable comment from senior
Be sure to test any accessible webapps as well. Nessus alone won't catch the most likely ways in if you expose any web apps.
management, if we have an IT Security section who are using the most common vulnerability scanning / penetration testing tools –what is the point in investing significant $$$ in buying in a 3rd party to do exactly the same?
Hopefully, that third party knows how to read the results of their tools (many don't and just take the long list of stuff Nessus et al spits out as gospel), may use multiple tools, and may be able to probe your webapps and other things that Nessus doesn't touch.
I fully appreciate that penetration testing is an area of high skill, as a 3rd party you provide an independent neutral security review, it takes years to master the topic, and once mastered you need to stay up to date with all
I think penetration testing is way overrated anyway. There is no way to prove that you have found and fixed all of the external vulnerabilities. If the attackers are smarter or more up to date than your pen-test (which these days is likely) you are still hosed.
• How do you as penetration testers, portray the importance of this independent check to future potential clients? Is this independence really that important?
Pen-testers want to sell their services. So they portray pen-testing as very important. And never point out that the attacker is likely smarter than the pen-tester because that is bad for bidness.
• What broadly speaking do you as professional penetration testers bring additional to a nessus scan during the services you provide?
Most pen-testers don't add much more than that aside from copious amounts of ego and claims of l33tness. Good ones do but are hard to find. They may have custom tools and will be able to probe your web apps etc. If there are
categories of security issues/vulnerabilities that you can flag up doing one of your penetration tests that Nessus wont - that would be incredibly useful to know, and I’d love to be able to identify the limitations of Nessus scans but I am a bit out of my depth to be able to do so.
Web apps.
that’s the report they use. This to me sounds a complete rip off, and I can’t see the benefit. So where is the added benefit in having an internal security guy run nessus, and paying a 3rd party pen tester x amount of $$$ money to do exactly the same? Why not just stick with the internal guy? Or
If that is all they do then it is a complete rip-off. Quiz them well, ask for what tools they use, make them prove everything they claim.
am I missing something? I really would appreciate real examples of whereby just running Nessus is simply not enough as it wont catch a, b and c!
Web apps. BMF ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Penetration Testing Services cribbar (Aug 02)
- RE: Penetration Testing Services Sherif Eldeeb (Aug 03)
- Re: Penetration Testing Services Justin Klein Keane (Aug 03)
- Re: Penetration Testing Services k.x86 (Aug 03)
- Re: Penetration Testing Services Robin Wood (Aug 03)
- RE: Penetration Testing Services Jason Hurst (Aug 03)
- Re: Penetration Testing Services Andre Gironda (Aug 03)
- Re: Penetration Testing Services Richard Miles (Aug 16)
- RE: Penetration Testing Services Mathew Sealy (Aug 03)
- Message not available
- Re: Penetration Testing Services Jonathan Leigh (Aug 03)
- RE: Penetration Testing Services Sherif Eldeeb (Aug 03)
- Re: Penetration Testing Services BMF (Aug 03)
- Re: Penetration Testing Services Todd Hughes (Aug 03)
- RE: Penetration Testing Services Hugo V. Garcia R. (Aug 03)
- Re: Penetration Testing Services MAlMozaiyn (Aug 08)
- RE: Penetration Testing Services Khalid Lakdawala (Aug 12)
- Re: Penetration Testing Services cribbar (Aug 12)