Re: Metrics for Ethical Hack

[Vic Vandal <vvandal () well com>]

Hi Monika,

There are tools that will run 20,000-30,000 multi-threaded string attacks on an entire crawled website within a couple 
of hours.  How fast can you type web requests and analyze web responses in comparison? (heh)

You also wrote "review code" in your message.  If you're reviewing source code, how fast can you read and interpret 
thousands and thousands of lines of code and compare it to say a dozen common coding mistakes, versus how fast an 
automated tool can do the same?

There really is no comparison.  The tool always wins by a mile in the amount of time taken.  But the automated tool 
will also always have some limitations, and deep manual testing by a true expert can often find a few things that 9 out 
of 10 automated tools won't.  But the automated tools will still find a lot, where a lot of issues exist.

Sorry I didn't provide any actual metrics as requested.  But if you do the math on that first sentence you can see that 
it's at least weeks of efforts versus mere hours.  If you have one website to audit maybe that's not a big deal.  If 
you have a dozen or a hundred websites that you need to audit every few months (or twice a year or whatever) then the 
usage of automated tools is the only way to accomplish the task.  You simply can't clone yourself to try to match the 
processing power of the machine.  And even if you could clone yourself or hire tons of staff, what's the cost 
comparison then?  Also does your capability and experience match that of the tool developers?

Food for thought.

-Vic

----- Original Message -----
From: "mc" <mccansecure () gmail com>
To: security-basics () securityfocus com, webappsec () securityfocus com, forensics-help () securityfocus com, 
focus-virus-help () securityfocus com, secureshell-help () securityfocus com, pen-test-help () securityfocus com, 
loganalysis-help () securityfocus com, honeypots-help () securityfocus com, security-basics-help () securityfocus com, 
webappsec-help () securityfocus com, webappsec-help () securityfocus com
Sent: Friday, March 14, 2014 9:12:20 AM
Subject: Metrics for Ethical Hack

Hi All 
I am interested to know if there is any metric used to measure amount of
time it takes to manually review code vs. using a tool. Any opinion will be
appreciated.
Thanks
Monika Chakraborty



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------