Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes)

From: "Steve Manzuik" <smanzuik () juniper net>
Date: Mon, 13 Nov 2006 17:25:56 -0500
That's a misleading way to frame the conversation, don't you 
think?  A pen-test isn't supposed to answer the yes/no 
question, "Can you be hacked?"
It's supposed to ask the open-ended questions, "How can you 
be hacked?" and
"How can you fix it?"   


Absolutely, but that was my entire point.  If you don't have the
infrastructure in place the answer to "how can I be hacked?" is a rather
long one that makes the "how can I fix it?" answer quite long as well.
Long answers to anything when executives are involved are counter
productive.

Also, when you have a network that is so poorly built/secured it is easy
for even a good pen-test team to get distracted with some of the low
hanging fruit issues and miss some of the more important but "harder"
ones.


Yes!  Why spend energy finding new bugs when you're in no 
position to fix the ones you already know about?  It's very 
much putting the cart before the horse.


Yup, and that is what I was trying to get at with my original, but badly
made point. ;-)
 

Except that companies do 3rd-party pen-tests for reasons 
other than security, like compliance.  Also, differentiating 
between the work done by Immunity and, say, Qualys* is a 
customer education issue.  Oh, and don't forget the almighty 
dollar - because that's an easy way to tell Immunity and 
Qualys apart that doesn't hurt Qualys' business one bit.


But that isn't a pen-test.  That is a vulnerability assessment.  These
are two very different things.

Vulnerability Assessment = Using a tool to scan for known
vulnerabilities and weakness.

Pen-test = Using tools and skill to pop holes in boxes using known and
unknown vulnerabilities and weakness.

Don't take that the wrong way, I am in no way beating up on Vuln
Assessments.  They have their worth as well but they are geared more
towards the compliance issues than a real pen-test is.  In fact if you
are doing a pen-test to get past a compliance issue you are probably
opening a can of worms that you really don't want to.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: