Dailydave mailing list archives
Pen-Testing Disclosure was Re: Dreaming of Summer
From: dailydave () menaced net
Date: Mon, 8 Dec 2003 09:37:52 -0500
Quoting David Maynor <dave () 0dayspray com>:
On Sat, 2003-12-06 at 23:43, Sean Batt wrote:Hello Daves et al, I can't quite understand how a whitehat would use a 0day. Isn't a whitehat ethically bound to fix or report vulnerabilities?What is wrong with using code I worte to perform my job? This would be diffrent if I were just out defacing random webpages, but if its my job, there seems to be a big diffrence to me.
When you contract for a pen test be sure to read all documents you sign carefully. I've never agreed to a contract where the pen testing team does not disclose all tools used and a packet capture of all traffic for the pen test. Keeping a "0day" to use for pen testing seems very hokey to me. A "whitehat" isn't ethically bound to fix anything. But you usually work out an agreement that requires proper disclosure of all risks identified along with all tools utilized to identify those risks.
As I said before security is a process. As a security professional it is my job to help protect my client against all threats, known or otherwise. You do this by limiting exposure so if there is a 0day the effect will be reduced. How do you test the affects a remote 0day would have on a client unless you have them?
Fluff and buzzwords... To help answer Sean's questions about: "Am I being naive thinking that ethical stance is the difference between black and white hats? I guess I'm missing something (probably a lot) about the utility of 0days and the practice of penetration testing and if anyone can comment on that I'd appreciate it." I offer this: There's no difference between "black and white hats." Those are just media words to help colorize their publications. To perform proper penetration testing one does not need 0day exploits. 0day exploits come from a good R&D team that has time on their hands. A pen test team should be able to come up with attacks on the fly based upon the environment being tested. These could eb called 0day, but more often than not they just wind up in the report given to the client at the end of an engagement. If they have far reaching effects they'll go to the vendor of the application for a fix. Either the pen test team/organization submits to the vendor or the company that recieved the pen test will notify the vendor. If the pen test team/org doesn't have any contacts with a particular vendor they'll use the already established contacts that the client has made when purchasing the application/product. My basic comment can be summed up completely with this: Keeping a 0day exploit for yourself to use for pen testing is lame. The only reason for keeping an attack secret would be to gather more business and make yourself look good in the process. Oooh ooh, lookey lookey, I keep getting into every sight I've been contracted to pen test that runs application code XYZ version 1.0. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Re: Dreaming of Summer, (continued)
- Re: Re: Dreaming of Summer David Maynor (Dec 06)
- RE: Dreaming of Summer Kohlenberg, Toby (Dec 06)
- Re: Dreaming of Summer Dave Aitel (Dec 06)
- RE: Dreaming of Summer Brass, Phil (ISS Atlanta) (Dec 06)
- RE: Dreaming of Summer David Maynor (Dec 06)
- Re: Dreaming of Summer Tri Huynh (Dec 06)
- Re: Dreaming of Summer Dave Aitel (Dec 06)
- Re: Dreaming of Summer David Maynor (Dec 06)
- Re: Dreaming of Summer Sean Batt (Dec 06)
- Re: Dreaming of Summer David Maynor (Dec 06)
- Pen-Testing Disclosure was Re: Dreaming of Summer dailydave (Dec 08)
- Re: Dreaming of Summer David Maynor (Dec 06)
- RE: Dreaming of Summer David Maynor (Dec 06)
- RE: Dreaming of Summer David Maynor (Dec 06)
- Re: Dreaming of Summer Dave Aitel (Dec 06)
- Re: Dreaming of Summer David Maynor (Dec 06)
- RE: Dreaming of Summer David Maynor (Dec 07)
- RE: Dreaming of Summer Halvar Flake (Dec 09)
- RE: Dreaming of Summer David Maynor (Dec 07)