Re: Penetration testing via shrinkware

["Marcus J. Ranum" <mjr () nfr net>]

> What are the opinions on the thoroughness of shrinkwrap software
> penetration testing?  Is today's shrinkware more capable for penetration
> testing (a single machine) than a human?

I guess it depends on the human! :)

Can a program do a better job of testing than a lame, clueless
human? Sure! Can a program do a better job of testing than a
fairly experienced security guru? No. Can a program do a better
job of testing than an 3ll33t? No.

By extension, I'd assume that someone was a lamer if they were
using shrinkwrap. I'd assume they were bringing no native
expertise to the table, and I'd only pay them "shop time"
rates (e.g.: about $25/hr) instead of consultant rates
(you pay consultants for expertise not their ability to
click 'go').

One of the problems with shrinkwrap is that it's not a whole
lot faster and it can overlook really stupid stuff that a
human would detect in a heartbeat. For example, what about the
customer who has a telnet listener on port 25 behind a screening
router? The shrinkwrap will try to do DEBUG and WIZ on it but
won't try to log in as root.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr