Re: Immunity Certified Network Offense Professional

["Paul Melson" <pmelson () gmail com>]

On Mon, Jul 14, 2008 at 8:18 AM, Thomas Ptacek <tqbf () matasano com> wrote:
> The problem is, it is not MORE VALUABLE to exploit memory corruption
> flaws than it is to find them. Consider two scenarios:
>
> (1) A shrink-wrap software pen test, for a vendor or a customer ---
> the target is one application. You have 5 days. Unless you think you
> can sweep 500,000 lines of C code clean of vulnerabilities in 40
> hours, an hour spent on exploit dev is an hour not spent finding
> vulnerabilities.

The thing about exploits in pen-testing is that they're not really
necessary for the client or the client's code.  They're more for the
vendor of the shrink-wrap software that you're testing.  A client
smart enough to pay for a pen-test (as opposed to a vulnerability
assessment) will also be able to understand they should fix their code
when you show them a screenshot of gdb showing EIP = 0x41414141.  But
vendors are another story - you've gotta have a highly reliable PoC
exploit before they do anything at all for your client in terms of a
fix.  (This is why billing T&M for a pen-test is convenient - you
don't have to ask your client to sign another contract to code the PoC
and sit through the conference calls with the vendor.)


> Plenty of people cheat at writing exploits too.

Cheating at exploit writing is like cheating at running.  Except when
you're in competition, nobody cares if you drove a car, so long as you
arrived at the correct destination.

PaulM
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave