Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Immunity Certified Network Offense Professional

From: root <root_ () fibertel com ar>
Date: Mon, 14 Jul 2008 04:23:31 -0300
In my short experience finding bugs and exploiting them, i have found
that the task of writing a reliable exploit is *orders of magnitude*
more complex and require much more experience than the required to only
find a bug.
Anyone can fire a fuzer, find a bug and tell their client about how
exploitable it is.
People then will talk about ret-to-libc and malloc tricks that really
don't work anymore in modern systems.
IMHO, only somebody with the technical expertise to write the actual
exploit can know the real extent of the vulnerability.

Sorry the rant, is late here :)

Thomas Ptacek wrote:

 I would generally agree that anyone selling themselves as a pen-tester should
 be able to pass this -- but not at the exclusion of also being able to identify
 poor use of crypto, architectural failures or web application
 vulnerabilities. Maybe
 the dispute here is in understanding what the purpose of this certification is.


No, see, I'm saying something different --- I'm saying that people who
sell themselves as pen-testers DO NOT need the skills this test looks
for. Ability to FIND overflows is more valuable than the ability to
EXPLOIT them.



_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: