Security Basics mailing list archives

Re: Required Help on Automated Tools

From: "J. Oquendo" <sil () infiltrated net>
Date: Mon, 20 Oct 2008 11:35:08 -0500

On Sat, 18 Oct 2008, Frynge Customer Support wrote:

Adriel:

Why are you anti automated?  Just curious.


Kelly Sigethy - Frynge.com
Web Design - Hosting - Advertising
http://www.frynge.com
1-403-251-9486 (Calgary)
1-866-331-9684 (Toll Free - Canada and the USA)
+44 (0)8717 206 505 (United Kingdom)


I can't answer for Adriel but I will chime in on why
automation - relying on it, is a bad idea.

Automation relies on the notion that whatever tool you're
using is automatically up-to-date for starters. We've all
seen how this theory/notion is flawed. If it were, they
would be far less vulnerabilities.

Reliance on any tool in this industry from my perspective
is akin to my ramblings on monkeys with tools. One becomes
too comfortable with an automated process and will almost
always likely overlook something small a tool won't pick
up.

While it may be a semi decent idea, if "automated"
pentesting were such a good idea, there would be a hell
of a lot of professionals out of business and a hell of
a lot more companies that were secure. Think about this
logically for a minute. If it were *that* good of an
idea, many companies would have picked up on it and ran
with it. There would be less vulnerabilities reported
don't you think?

Always, always, always keep in mind, an attacker,
especially a determined attacker isn't likely to have
Webinspect, Hailstorm or other commercial tools in
his or her arsenal. Most "thorough/skilled" attackers
will use their own intuition, tools, methods in order
to leverage a target. Try automating intuition in the
sense that "hrmm I sometimes name my temp directories
pm3t because I'm lazy". Tools (automated) will only
give you what their developers see fit at the time
of compilation.


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"Each player must accept the cards life deals him
or her: but once they are in hand, he or she alone
must decide how to play the cards in order to win
the game." Voltaire

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB

Current thread:

Required Help on Automated Tools Vin Oxious (Oct 14)
- Re: Required Help on Automated Tools Jorge L. Vazquez (Oct 15)
- Re: Required Help on Automated Tools Adriel Desautels (Oct 16)
  - Re: Required Help on Automated Tools Frynge Customer Support (Oct 20)
    - Re: Required Help on Automated Tools J. Oquendo (Oct 20)
    - RE: Required Help on Automated Tools Prodigi Child (Oct 22)
    - Re: Required Help on Automated Tools acey deucey (Oct 21)