Dailydave mailing list archives
Re: New presentation is up: 0days: How hacking really works
From: Kevin Ponds <kponds () gmail com>
Date: Tue, 1 Feb 2005 08:44:38 -0600
Excellent presentation. One thing that I've been turning over in my mind, and hopefully should bring up a decent discussion is this: Assume the not-so-distant future (or present) is ruled by 0day, which I totally agree with you on. What is the value-added from pen-testing/auditing? Pretend I'm a large enterprise, and there are 45 0days that effect my network that are known by different hackers around the globe. I shell out a fair load of cash for a pen-test from some security consultancy, who promptly own my network with their three 0days that they've home grown. What have I gained from this? -No one could know about the vulnerabilities except the guys I just hired. -If they do, there are tons more vulnerabilities out there that the guys that I hired have never heard of. -If I get attacked with 0day, what are the chances that it will have been one of the 0days that I tested with? In our simulation, 3/45 at best (best meaning that all of the tested vulnerabilities are known by the underground). Do you see a future where pen-tests are limited to automated systems scanning for non 0day (just to make sure), and in-house sweeps with known 0day (such as using CANVAS, which is inarguably less expensive than hiring a pen-test team)? I personally see the money that's being thrown into pen-tests going into secure platforms, such as stack protectors, HIDS, better IDS technology, etc. "We know we're vulnerable to 0day so we're going to make our platforms (as) invulnerable (as possible)" line of thought. Obviously I still think that auditing / testing is needed to some extent, but I don't really see the point in spending $200k for someone to rape my network with a bug that I'll never see again. On Thu, 30 Dec 2004 13:55:38 -0500, Dave Aitel <dave () immunitysec com> wrote:
http://www.immunitysec.com/resources-papers.shtml -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- New presentation is up: 0days: How hacking really works Dave Aitel (Jan 29)
- Re: New presentation is up: 0days: How hacking really works Kevin Ponds (Feb 01)
- Re: New presentation is up: 0days: How hacking really works Tom Parker (Feb 01)
- Re: New presentation is up: 0days: How hacking reallyworks halvar (Feb 01)
- Re: New presentation is up: 0days: How hacking really works robert (Mar 19)
- Re: New presentation is up: 0days: How hacking really works Kevin Ponds (Feb 01)