Firewall Wizards mailing list archives
RE: Penetration testing via shrinkware
From: "McEwen, Don" <dmcewen () nsf gov>
Date: Thu, 3 Sep 1998 14:37:51 -0400
I'd like to agree that a human can do a much better job, however "For everything there is a season, and a time to every purpose under the heaven." [Prov 3:1] I recently had to scan several http hosts that I don't manage for a particular vulnerability. I spent better part of 2 hours to look for this particular vulnerability on about 20 hosts. Sure I could have typed faster and had a better methodology but an automated tool that would check them should have taken 5 minutes or less. My experience is that we have more "users" publishing web pages off the desktop or "user" department with their own web servers and other vulnerable machines. I'd think that the human would do a better job, but what seems to happen in these cases is that the IT department doesn't have staff necessary to support an unlimited number of servers and most just don't get any checking at all. An automated tool would at least give some protection. Don McEwen
-----Original Message----- From: Marcus J. Ranum [mailto:mjr () nfr net] Sent: Thursday, September 03, 1998 10:19 AM To: Stout, Bill; Firewall-wizards Subject: Re: Penetration testing via shrinkwareWhat are the opinions on the thoroughness of shrinkwrap software penetration testing? Is today's shrinkware more capable forpenetrationtesting (a single machine) than a human?I guess it depends on the human! :) Can a program do a better job of testing than a lame, clueless human? Sure! Can a program do a better job of testing than a fairly experienced security guru? No. Can a program do a better job of testing than an 3ll33t? No. By extension, I'd assume that someone was a lamer if they were using shrinkwrap. I'd assume they were bringing no native expertise to the table, and I'd only pay them "shop time" rates (e.g.: about $25/hr) instead of consultant rates (you pay consultants for expertise not their ability to click 'go'). One of the problems with shrinkwrap is that it's not a whole lot faster and it can overlook really stupid stuff that a human would detect in a heartbeat. For example, what about the customer who has a telnet listener on port 25 behind a screening router? The shrinkwrap will try to do DEBUG and WIZ on it but won't try to log in as root. mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- RE: Penetration testing via shrinkware, (continued)
- RE: Penetration testing via shrinkware Christopher Nicholls (Sep 07)
- Re: Penetration testing via shrinkware tqbf (Sep 17)
- Re: Penetration testing via shrinkware Crispin Cowan (Sep 18)
- Re: Penetration testing via shrinkware Ted Doty (Sep 19)
- Re: Penetration testing via shrinkware tqbf (Sep 19)
- Re: Penetration testing via shrinkware Dave Whitlow (Sep 19)
- Re: Penetration testing via shrinkware Christopher Nicholls (Sep 19)
- Re: Penetration testing via shrinkware Adam Shostack (Sep 20)
- Re: Penetration testing via shrinkware Ivan Arce,CORE SDI (Sep 23)
- Re: Penetration testing via shrinkware tqbf (Sep 21)
- RE: Penetration testing via shrinkware Christopher Nicholls (Sep 07)
- Re: Penetration testing via shrinkware Crispin Cowan (Sep 19)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)