Firewall Wizards mailing list archives

RE: Penetration testing via shrinkware

From: "McEwen, Don" <dmcewen () nsf gov>
Date: Thu, 3 Sep 1998 14:37:51 -0400

I'd like to agree that a human can do a much better job, 
however "For everything there is a season, and a time to every purpose
under the heaven." [Prov 3:1]

I recently had to scan several http hosts that I don't manage for a
particular
vulnerability. I spent better part of 2 hours to look for this particular 
vulnerability on about 20 hosts. Sure I could have typed faster and 
had a better methodology but an automated tool that would check them should
have taken 5 minutes or less. 

My experience is that we have more "users" publishing web pages off the
desktop
or "user" department with their own web servers and other vulnerable
machines.
I'd think that the human would do a better job, but what seems to happen in
these
cases is that the IT department doesn't have staff necessary to support an 
unlimited number of servers and most just don't get any checking at all. An
automated tool would at least give some protection. 

Don McEwen

-----Original Message-----
From: Marcus J. Ranum [mailto:mjr () nfr net]
Sent: Thursday, September 03, 1998 10:19 AM
To: Stout, Bill; Firewall-wizards
Subject: Re: Penetration testing via shrinkware

What are the opinions on the thoroughness of shrinkwrap software
penetration testing?  Is today's shrinkware more capable for

penetration

testing (a single machine) than a human?


I guess it depends on the human! :)

Can a program do a better job of testing than a lame, clueless
human? Sure! Can a program do a better job of testing than a
fairly experienced security guru? No. Can a program do a better
job of testing than an 3ll33t? No.

By extension, I'd assume that someone was a lamer if they were
using shrinkwrap. I'd assume they were bringing no native
expertise to the table, and I'd only pay them "shop time"
rates (e.g.: about $25/hr) instead of consultant rates
(you pay consultants for expertise not their ability to
click 'go').

One of the problems with shrinkwrap is that it's not a whole
lot faster and it can overlook really stupid stuff that a
human would detect in a heartbeat. For example, what about the
customer who has a telnet listener on port 25 behind a screening
router? The shrinkwrap will try to do DEBUG and WIZ on it but
won't try to log in as root.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr

Current thread:

RE: Penetration testing via shrinkware, (continued)
- - RE: Penetration testing via shrinkware Christopher Nicholls (Sep 07)
    - Re: Penetration testing via shrinkware tqbf (Sep 17)
    - Re: Penetration testing via shrinkware Crispin Cowan (Sep 18)
    - Re: Penetration testing via shrinkware Ted Doty (Sep 19)
    - Re: Penetration testing via shrinkware tqbf (Sep 19)
    - Re: Penetration testing via shrinkware Dave Whitlow (Sep 19)
    - Re: Penetration testing via shrinkware Christopher Nicholls (Sep 19)
    - Re: Penetration testing via shrinkware Adam Shostack (Sep 20)
    - Re: Penetration testing via shrinkware Ivan Arce,CORE SDI (Sep 23)
    - Re: Penetration testing via shrinkware tqbf (Sep 21)
- RE: Penetration testing via shrinkware McEwen, Don (Sep 03)
- Re: Penetration testing via shrinkware Vanja Hrustic (Sep 03)
- Re: Penetration testing via shrinkware Bill_Royds (Sep 03)
- RE: Penetration testing via shrinkware Stout, Bill (Sep 06)
- RE: Penetration testing via shrinkware Gary Crumrine (Sep 06)
- Re: penetration testing via shrinkware Arve Kjoelen (Sep 08)
- Re: Penetration testing via shrinkware Ryan Russell (Sep 19)
- Re: Penetration testing via shrinkware John McDermott (Sep 19)
  - Re: Penetration testing via shrinkware Crispin Cowan (Sep 19)
  - Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware John McDermott (Sep 19)

(Thread continues...)