Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions?

[gbugbear at gmail.com (Bugbear)]

So I was listening to the Risky Business Podcast this AM (#85) on my commute
in (right after finishing part II of pauldotcom) and they had Tenable
Network Security's CSO Marcus Ranum on. Marcus stated that he felt tools
such as Core and Metasploit had no usefulness in pen test. He emphasised
that a design review and vulnerability scanning should be enough.

While I may have misunderstood his statements and I do agree design/config
reviews and vulnerability scanning needs to be the first and second step of
any regular review, pen test, etc... I completely disagree on his comments
on using such aforementioned tools in conjunction with products such as
Nessus. i.e. Nessus is not going to tell me if my blackberry user is
connecting to free wifi and is vulnerable to Karma, etc..

Thoughts, comments, opinions? Interested in what the viewpoint of the broad
background of pauldotcom listeners! Or maybe someone can clarify his
comments for me.

Tim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20081029/0d3b8f8e/attachment.htm