Re: Penetration Tests

[Brian Mitchell <brian () firehouse net>]

On Thu, 25 Sep 1997, Marcus J. Ranum wrote:

> > If you have tools, documentation or a template for considerations
> > I'd be grateful. This will be part of an overall risk/vulnerability
> > audit, which I have no problems with.
>
> A lot of consultants, auditors, and companies that make
> scanner software, would consider that to be incredibly
> valuable intellectual property. Don't be surprised if you
> don't get a lot of information.
>
> An interesting side-effect of the huge market for computer
> security products and services is that it's served to
> *increase* the secretiveness of security experts. Unfortunately,
> what we really need to be doing is the opposite - sharing
> information. But, in a lot of cases, it's hard to expect one
> to do otherwise because there's a lot of money at stake.
>
> It'll be interesting to see if anyone provides any information
> to the list. [Moderator's note: I WILL suppress "me too"
> postings in this thread]

I'm not sure if it's a big secret. Getting ballista/iss quality
penetration testing stuff is not very difficult, merely time consuming. I
do, however, tend to agree with you about the lack of information, based
primarily on the commercial marketability of the information.

Why give it away if you can sell it :)