Firewall Wizards mailing list archives
Re: Penetration testing via shrinkware
From: emaiwald () shell fred net
Date: Thu, 3 Sep 98 13:16:41 EDT
Marcus wrote:
Bill wrote:What are the opinions on the thoroughness of shrinkwrap software penetration testing? Is today's shrinkware more capable for penetration testing (a single machine) than a human?I guess it depends on the human! :)
No argument there.
Can a program do a better job of testing than a lame, clueless human? Sure! Can a program do a better job of testing than a fairly experienced security guru? No. Can a program do a better job of testing than an 3ll33t? No. By extension, I'd assume that someone was a lamer if they were using shrinkwrap. I'd assume they were bringing no native expertise to the table, and I'd only pay them "shop time" rates (e.g.: about $25/hr) instead of consultant rates (you pay consultants for expertise not their ability to click 'go').
Hold on one second. The use of automated tools may be more time effective than using in house developed tools (why reinvent the wheel?) I will agree that using ONLY the tools is not helpful but the tools can provide the initial info to begin probing for a penetration.
One of the problems with shrinkwrap is that it's not a whole lot faster and it can overlook really stupid stuff that a human would detect in a heartbeat. For example, what about the customer who has a telnet listener on port 25 behind a screening router? The shrinkwrap will try to do DEBUG and WIZ on it but won't try to log in as root.
Again, no disagreement. However, the fact is that most clients are not going to pay for an experienced person to test every single machine or access point on their nets by hand. As with everything else, there are tradeoffs. You tried to provide the best service to the client for the best price. In most cases, this is a combination of automated tools and human expertise targeted at juicy looking access points. Eric -- --------------------------------------------------------------------- Eric Maiwald, CISSP emaiwald () fred net Director Security Services 301-977-6966 Fortrex Technologies, Inc. North Potomac, MD ---------------------------------------------------------------------
Current thread:
- Penetration testing via shrinkware Stout, Bill (Sep 03)
- Re: Penetration testing via shrinkware Bennett Todd (Sep 03)
- Re: Penetration testing via shrinkware Sheila //or// Bob (depends on who's writing) (Sep 06)
- Re: Penetration testing via shrinkware Stephen P. Berry (Sep 06)
- <Possible follow-ups>
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 03)
- Re: Penetration testing via shrinkware emaiwald (Sep 03)
- Re: Penetration testing via shrinkware Dominique Brezinski (Sep 03)
- Re: Penetration testing via shrinkware Ryan Russell (Sep 03)
- RE: Penetration testing via shrinkware Gary Crumrine (Sep 03)
- RE: Penetration testing via shrinkware Christopher Nicholls (Sep 07)
- Re: Penetration testing via shrinkware tqbf (Sep 17)
- Re: Penetration testing via shrinkware Crispin Cowan (Sep 18)
- Re: Penetration testing via shrinkware Ted Doty (Sep 19)
- Re: Penetration testing via shrinkware tqbf (Sep 19)
- Re: Penetration testing via shrinkware Dave Whitlow (Sep 19)
- Re: Penetration testing via shrinkware Christopher Nicholls (Sep 19)
- RE: Penetration testing via shrinkware Christopher Nicholls (Sep 07)