Dailydave mailing list archives
Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes)
From: "Steve Manzuik" <smanzuik () juniper net>
Date: Mon, 13 Nov 2006 17:25:56 -0500
That's a misleading way to frame the conversation, don't you think? A pen-test isn't supposed to answer the yes/no question, "Can you be hacked?" It's supposed to ask the open-ended questions, "How can you be hacked?" and "How can you fix it?"
Absolutely, but that was my entire point. If you don't have the infrastructure in place the answer to "how can I be hacked?" is a rather long one that makes the "how can I fix it?" answer quite long as well. Long answers to anything when executives are involved are counter productive. Also, when you have a network that is so poorly built/secured it is easy for even a good pen-test team to get distracted with some of the low hanging fruit issues and miss some of the more important but "harder" ones.
Yes! Why spend energy finding new bugs when you're in no position to fix the ones you already know about? It's very much putting the cart before the horse.
Yup, and that is what I was trying to get at with my original, but badly made point. ;-)
Except that companies do 3rd-party pen-tests for reasons other than security, like compliance. Also, differentiating between the work done by Immunity and, say, Qualys* is a customer education issue. Oh, and don't forget the almighty dollar - because that's an easy way to tell Immunity and Qualys apart that doesn't hurt Qualys' business one bit.
But that isn't a pen-test. That is a vulnerability assessment. These are two very different things. Vulnerability Assessment = Using a tool to scan for known vulnerabilities and weakness. Pen-test = Using tools and skill to pop holes in boxes using known and unknown vulnerabilities and weakness. Don't take that the wrong way, I am in no way beating up on Vuln Assessments. They have their worth as well but they are geared more towards the compliance issues than a real pen-test is. In fact if you are doing a pen-test to get past a compliance issue you are probably opening a can of worms that you really don't want to. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- "The organization I belong to doesn't have initals" (that evil dude in Heroes) Dave Aitel (Nov 12)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Tito Villalobos (Nov 13)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Pete Herzog (Nov 13)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Steve Manzuik (Nov 13)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Paul Melson (Nov 13)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Steve Manzuik (Nov 13)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Olef Anderson (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Nicolas RUFF (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) David Maynor (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Daniel (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Siim Põder (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Matt Richard (Nov 15)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) dan (Nov 16)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Rhys Kidd (Nov 16)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Matt Richard (Nov 16)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Dave Aitel (Nov 16)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Tito Villalobos (Nov 13)