Educause Security Discussion mailing list archives

Re: Penetration Testing Software

From: randy marchany <marchany () VT EDU>
Date: Wed, 11 Mar 2009 14:55:37 -0400

We use the following pen test software:

1. Commercial - Core Impact. Great but expensive. They are willing to work
with EDUs.
2. Freeware - Metasploit. I recommend using this first to get practice and
experience before evaluating commercial software.

-r.

On Wed, Mar 11, 2009 at 2:44 PM, Curt Wilson <curtw () siu edu> wrote:

James R. Pardonek wrote:

We are looking at penetration testing, either by a third party or by
using purchased software in-house.  I was curious what others were
doing, some costs and issues.


We use nmap and other tools to get things started, combined with Nessus
with a commercial feed, metasploit, core impact (we are fortunate to
have it) and have also used SPI Dynamics WebInspect for web apps, and
Application Security's AppDetective for some database assessment in the
past. We used Immunity's CANVAS in the past but have let the license
lapse, it's a nice tool but Core's reporting features are much nicer and
plus Core is easier and faster to use.

I see pentesting and assessment as complementary and often merge them
together for the sake of delivering the highest value. These tools are
excellent in the right hands and speed things up considerably.

That being said there is no substitute for a skilled assessor. I'm sure
we've all found issues that the scanners did not. They only go so far,
and have various issues with coverage and depth. I've found that
attackers will go further in many cases, and skilled pentesters can go
much further. I've met several of the folks from InGuardians and they
are very good, as are the people at Core security.

When I was a consultant, pentesting and assessment was an area I
specialized in. It takes a lot of time to do right and to keep up with,
so if you have the $ I'd suggest outsourcing it unless you have some
skilled and motivated staff.




Thanks,



James R. Pardonek, CISSP

Senior Network Administrator

Network Infrastructure Management and Maintenance

Computing Technology and Information Services

Purdue University Calumet

Hammond, Indiana



--
Curt Wilson
SIUC IT Security Officer & Security Engineer

Current thread:

Penetration Testing Software James R. Pardonek (Mar 09)
- <Possible follow-ups>
- Re: Penetration Testing Software Daniel Bennett (Mar 10)
- Re: Penetration Testing Software Karen Stopford (Mar 10)
- Re: Penetration Testing Software Joel Rosenblatt (Mar 10)
- Re: Penetration Testing Software Axworthy, Heather (Mar 10)
- Re: Penetration Testing Software Jay Tumas (Mar 10)
- Re: Penetration Testing Software Rue, Brian R. (Mar 10)
- Re: Penetration Testing Software King, Ronald A. (Mar 10)
- Re: Penetration Testing Software David Grisham (Mar 10)
- Re: Penetration Testing Software Curt Wilson (Mar 11)
- Re: Penetration Testing Software randy marchany (Mar 11)
- Re: Penetration Testing Software Christopher Jones (Mar 11)