Security Basics mailing list archives
Re: Required Help on Automated Tools - Thank you all for all your help
From: "Vin Oxious" <vinoxious () gmail com>
Date: Fri, 24 Oct 2008 23:27:03 +0530
Dear Friends, Thank you all for sharing your experiences and knowledge ... regards, Vins On Thu, Oct 23, 2008 at 2:02 AM, Prodigi Child <prodigi.child () gmail com> wrote:
That being said, I shy away from pooh-poohing automated tools altogether, because they DO serve a purpose. They can get some of the obvious stuff, and they can get it fast. Sure there are false positives AND false negatives, but that's why they should be one facet of your process. Don't rely exclusively on them, and don't ignore them all together. Find a happy medium where they complement your manual, intuitive methods. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of J. Oquendo Sent: Monday, October 20, 2008 11:35 AM To: Frynge Customer Support Cc: security-basics () securityfocus com Subject: Re: Required Help on Automated Tools On Sat, 18 Oct 2008, Frynge Customer Support wrote:Adriel: Why are you anti automated? Just curious. Kelly Sigethy - Frynge.com Web Design - Hosting - Advertising http://www.frynge.com 1-403-251-9486 (Calgary) 1-866-331-9684 (Toll Free - Canada and the USA) +44 (0)8717 206 505 (United Kingdom)I can't answer for Adriel but I will chime in on why automation - relying on it, is a bad idea. Automation relies on the notion that whatever tool you're using is automatically up-to-date for starters. We've all seen how this theory/notion is flawed. If it were, they would be far less vulnerabilities. Reliance on any tool in this industry from my perspective is akin to my ramblings on monkeys with tools. One becomes too comfortable with an automated process and will almost always likely overlook something small a tool won't pick up. While it may be a semi decent idea, if "automated" pentesting were such a good idea, there would be a hell of a lot of professionals out of business and a hell of a lot more companies that were secure. Think about this logically for a minute. If it were *that* good of an idea, many companies would have picked up on it and ran with it. There would be less vulnerabilities reported don't you think? Always, always, always keep in mind, an attacker, especially a determined attacker isn't likely to have Webinspect, Hailstorm or other commercial tools in his or her arsenal. Most "thorough/skilled" attackers will use their own intuition, tools, methods in order to leverage a target. Try automating intuition in the sense that "hrmm I sometimes name my temp directories pm3t because I'm lazy". Tools (automated) will only give you what their developers see fit at the time of compilation. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "Each player must accept the cards life deals him or her: but once they are in hand, he or she alone must decide how to play the cards in order to win the game." Voltaire http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB
Current thread:
- Re: Required Help on Automated Tools - Thank you all for all your help Vin Oxious (Oct 24)