Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions?

[arch3angel at gmail.com (Arch Angel)]

I have seen in the past were people who did not know the results of poor
choices have their minds turned around by things such as the live results of
a scan.  For example, while I was in the Army commanders knew nothing about
computers let alone security, I simply educated them and showed them the
results of poor choices, that is something they took that with them.  In a
perfect world we would not need these tools, however in the real world I
believe we need education, and more so those who educate.  If we, the
professionals of the world, no matter your profession fail to bring examples
from the real world into our educational programs then we not only fail that
person we fail as an educator.

"Give the man a binary and he plays for days.  Give him source and he plays
for life!"

Show them the real world examples and help educate them on prevention, if
all else fails beat them really hard.

Just kidding....

On Wed, Oct 29, 2008 at 10:15 AM, Jack Daniel <jackadaniel at gmail.com> wrote:

> One thing Marcus said which I think is dead on is that if you have to
> "rub someone's nose in it" to convince them they have a problem
> (actually exploit a vuln and compromise something) we're already
> screwed.  How do you create a secure environment if decision makers
> minds are set to default-ignore?  If I were an optimist, I would say
> people learn and change. Then again, if I were an optimist, this would
> be a poor career choice.
>
>
> Jack
>
>
> 2008/10/29 Bugbear <gbugbear at gmail.com>:
> > So I was listening to the Risky Business Podcast this AM (#85) on my
> commute
> > in (right after finishing part II of pauldotcom) and they had Tenable
> > Network Security's CSO Marcus Ranum on. Marcus stated that he felt tools
> > such as Core and Metasploit had no usefulness in pen test. He emphasised
> > that a design review and vulnerability scanning should be enough.
> >
> > While I may have misunderstood his statements and I do agree
> design/config
> > reviews and vulnerability scanning needs to be the first and second step
> of
> > any regular review, pen test, etc... I completely disagree on his
> comments
> > on using such aforementioned tools in conjunction with products such as
> > Nessus. i.e. Nessus is not going to tell me if my blackberry user is
> > connecting to free wifi and is vulnerable to Karma, etc..
> >
> > Thoughts, comments, opinions? Interested in what the viewpoint of the
> broad
> > background of pauldotcom listeners! Or maybe someone can clarify his
> > comments for me.
> >
> > Tim
> >
> >
> >
> >
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
>
>
> --
> ______________________________________
> Jack Daniel, Reluctant CISSP
> http://blog.uncommonsensesecurity.com
> http://www.linkedin.com/in/jackadaniel
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20081029/bb9a2487/attachment.htm