Penetration Testing mailing list archives
Re: Professional Scrpt Kiddies vs Real Talent
From: "Adriel T. Desautels" <ad_lists () netragard com>
Date: Tue, 9 Mar 2010 12:58:16 -0500
Hi Craig, long time no talk. My comments are embedded below: On Mar 9, 2010, at 2:27 AM, Craig S. Wright wrote:
The entire notion that security is about pen testing is flawed.
Who said that it was all about pen-testing?
Pen testing can say your system sucks, it can find holes. Really so what. This does little to actually improve architecture, policy, user behaviour etc. There are always holes, security is an economic risk function.
Absolutely man!
There are limits to what can be spent on security and too much on Pen testing leaves less for mitigation. I see less spent on code testing than on getting the site pen tested, whereas I see more vulnerabilities discovered with a good secure coder.
Ok.
Pen testing is but one small aspect of security.
I think this is the first time that we've agreed with each other on list? What's going on here?
Regards, ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... Information Defense Pty Ltd -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Wim Remes Sent: Tuesday, 9 March 2010 11:35 AM To: Adriel Desautels Cc: pen-test () securityfocus com Subject: Re: Professional Scrpt Kiddies vs Real Talent while I understand what triggered this post and/or e-mail, it is barely scratching the surface. Infosec is so much more than finding vulnerabilities in products that you can hardly limit a list of "security experts" to people doing vulnerability research. It just ain't right. For me there's two kind of people in infosec : People that are actually contributing to a very open and interactive community (no, not by stepping in the limelight at cons and trying to make a name for themselves, this happens on different levels and at varying scales) and then there's the parasites who try to surf along on every wave but not giving back for what they've taken but rehashing ideas of others and not giving proper credit. The latter kind don't tend to hang around for very long though ... H.D. Moore comes to mind. He's probably one of the smartest infosec people around. Do you blame him for creating Metasploit and enabling scriptkiddies to hack or do you credit him for creating Metasploit which allows companies and overworked admins to actually perform some kind of pentesting and learn about security in the software they use ? I'll choose the latter. Sure, 9 out of 10 won't use it as it was intended (a exploit development framework) but if 1 out of 10 does, that's enough of a result to continue. I disagree with your position that any serious security services provider HAS TO DO security research (vulnerability research and exploit development). Fact is, it rarely educates people about risk. At best it makes them take a second look at their patch management process. In the end, everybody actively working to share information and knowledge on a daily basis to advance the infosec profession is a rockstar in my book. And yes, that includes people talking about DNSSEC on stage while under the influence of copious amounts of bourbon. Cheers, W On 05 Mar 2010, at 03:08, Adriel Desautels wrote:Posted on:http://snosoft.blogspot.com/2010/03/good-guys-in-security-world-are-no.htmlComments, insults, etc. on the blog (or here) are more than welcome. -- The Good Guys in the security world are no different from the Bad Guys;most of them are nothing more than glorified Script Kiddies. The fact of the matter is that if you took all of the self-proclaimed hackers in the world and you subjected them to a litmus test, very few would pass as actual hackers.This is true for both sides of the proverbial Black and White hat coin. Inthe Black Hat world, you have script-kids who download programs that are written by other people then use those programs to "hack" into networks. The White Hat's do the exact same thing; only they buy the expensive tools instead of downloading them for free. Or maybe they're actually paying for the pretty GUI, who knows?What is pitiable is that in just about all cases these script kiddies haveno idea what the programs actually do. Sometimes that's because they don't bother to look at the code, but most of the time its because they just can't understand it. If you think about it that that is scary. Do you really want to work with a security company that launches attacks against your network with tools that they do not fully understand? I sure wouldn't.This is part of the reason why I feel that it is so important for anyprofessional security services provider to maintain an active research team. I'm not talking about doing market research and pretending that its security research like so many security companies do. I'm talking about doing actual vulnerability research and exploit development to help educate people about risks for the purposes of defense. After all, if a security company can't write an exploit then what business do they have launching exploits against your company?I am very proud to say that Everything Channel recently released the 2010CRN Security Researchers list and that Netragard's Kevin Finisterre was on the list. Other people that were included in the list are people that I have the utmost respect for. As far as I am concerned, these are the top security experts:* Dino Dai Zovi * Kevin Finisterre * Landon Fuller * Robert Graham * Jeremiah Grossman * Larry Highsmith * Billy Hoffman * Mikko Hypponen * Dan Kaminsky * Paul Kocher * Nate Lawson * David Litchfield * Charles Miller * Jeff Moss * Jose Nazario * Joanna Rutkowska In the end I suppose it all boils down to what the customer wants. Somecustomers want to know their risks; others just want to put a check in the box. For those who want to know what their real risks are, you've come to the right place.------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification ReviewBoardProve to peers and potential employers without a doubt that you canactually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.http://www.iacertification.org ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Adriel T. Desautels ad_lists () netragard com -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Professional Scrpt Kiddies vs Real Talent Adriel Desautels (Mar 08)
- RE: Professional Scrpt Kiddies vs Real Talent Ron.Southworth (Mar 08)
- Re: Professional Scrpt Kiddies vs Real Talent Adriel T. Desautels (Mar 11)
- RE: Professional Scrpt Kiddies vs Real Talent Porttikivi, Anssi (Mar 15)
- Re: Professional Scrpt Kiddies vs Real Talent Wim Remes (Mar 08)
- Re: Professional Scrpt Kiddies vs Real Talent Adriel T. Desautels (Mar 09)
- RE: Professional Scrpt Kiddies vs Real Talent Craig S. Wright (Mar 11)
- Re: Professional Scrpt Kiddies vs Real Talent Adriel T. Desautels (Mar 11)
- Re: Professional Scrpt Kiddies vs Real Talent Wim Remes (Mar 11)
- RE: Professional Scrpt Kiddies vs Real Talent Ron.Southworth (Mar 08)
- Re: Professional Scrpt Kiddies vs Real Talent Vikram Dhillon (Mar 09)
- Re: Professional Scrpt Kiddies vs Real Talent Omar Herrera (Mar 09)
- Re: Professional Scrpt Kiddies vs Real Talent chr1x (Mar 11)
- Re: Professional Scrpt Kiddies vs Real Talent 5.K1dd (Mar 11)
- Re: Professional Scrpt Kiddies vs Real Talent R. DuFresne (Mar 18)
- Re: Professional Scrpt Kiddies vs Real Talent trains (Mar 23)
- Re: Professional Scrpt Kiddies vs Real Talent chr1x (Mar 11)
- Re: Professional Scrpt Kiddies vs Real Talent Eric Milam (Mar 11)
- Re: Professional Scrpt Kiddies vs Real Talent Adriel T. Desautels (Mar 11)