Firewall Wizards mailing list archives
Re: Penetration testing via shrinkware
From: "Stephen P. Berry" <spb () incyte com>
Date: Thu, 03 Sep 1998 18:14:03 -0700
-----BEGIN PGP SIGNED MESSAGE-----
What are the opinions on the thoroughness of shrinkwrap software penetration testing? Is today's shrinkware more capable for penetration testing (a single machine) than a human?
Anyone relying entirely on an automated process for security auditing, like anyone relying entirely on a GUI for administration, is living in a state of sin. That being said, I think the question is a bit of a red herring. Obviously the capabilities of both vary greatly. The issue is basically one of resource management. In most organisations, you have a couple mad scientists and a bunch of hunchbacks. If your shrinkware is reasonably droolproof, it allows you to fob off something like penetration testing onto one of your hunchbacks. Whether or not this is sufficient is another matter, and one which will depend a great deal on how serious a concern penetration testing is. One of the major philosophical objections I have to many security/intrusion detection/penetration testing systems is that they are often used -instead of- review of infrastructure and implimentation. That is, rather than sitting down and sifting through the config files, whiteboarding the topology, u.s.w., whatever happens to get cobbled together is schlepped right into production and -then- pounded on with an auditing tool. If it doesn't fall over, everyone dozes off. If the auditing widget screams about something, then the specific problems reported by the widget are spackled over. Put another way, _post hoc_ analysis using tools like scanners tend to produce _ad hoc_ workarounds. This is no substitute for intelligent design and skillful implimentation. Granted, there is nothing about automated tools which dictates that they -must- be used in this way, but if you start talking about using shrinkware in place of hands-on twiddling that's the scenario which occurs to me. - -Steve -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNe8+tyrw2ePTkM9BAQHGnwQAs623PVsFRDDsWIdXphDV2T+ANRP1uV7a z5tknV+3tmclO7AsLsE3+avzohGpB1BHd1Yh7TVwBHGFjbnqCSvaTD3NRH+qN4Rf Jba2a8efkRg3LJY0np8Rlbfv64gPsR7bthBakVx8M4iIyAPaHBOkb32ZnB3zOSuj 7M2jDnK+vIQ= =i51E -----END PGP SIGNATURE-----
Current thread:
- Penetration testing via shrinkware Stout, Bill (Sep 03)
- Re: Penetration testing via shrinkware Bennett Todd (Sep 03)
- Re: Penetration testing via shrinkware Sheila //or// Bob (depends on who's writing) (Sep 06)
- Re: Penetration testing via shrinkware Stephen P. Berry (Sep 06)
- <Possible follow-ups>
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 03)
- Re: Penetration testing via shrinkware emaiwald (Sep 03)
- Re: Penetration testing via shrinkware Dominique Brezinski (Sep 03)
- Re: Penetration testing via shrinkware Ryan Russell (Sep 03)
- RE: Penetration testing via shrinkware Gary Crumrine (Sep 03)
- RE: Penetration testing via shrinkware Christopher Nicholls (Sep 07)
- Re: Penetration testing via shrinkware tqbf (Sep 17)
- Re: Penetration testing via shrinkware Crispin Cowan (Sep 18)
- Re: Penetration testing via shrinkware Ted Doty (Sep 19)
- Re: Penetration testing via shrinkware tqbf (Sep 19)
- RE: Penetration testing via shrinkware Christopher Nicholls (Sep 07)