Penetration Testing mailing list archives
Re: Research on penetration testing?
From: Pete Finnigan <plsql () petefinnigan com>
Date: Wed, 15 Dec 2004 17:41:02 +0000
I would agree with this if you wish to follow a less technical line. The ROSI problem (Return on Security Investment). How to sell penetration testing and vulnerability assessment, cost savings and so on.
Hi, I would agree with this idea. When I read this my thoughts went immediately to the book "Optimizing Oracle performance" written by Cary Millsap and Jeff Holt - Published by O'Reilly. This book, quite obviously by the title is about tuning Oracle and not about penetration testing - bear with me..:-) The book describes the new (ish) method of using the Oracle wait interface (instrumentation in the Oracle kernel) for tuning. But the big idea in the book is that fact that using this method the tuning effort is repeatable and calculable in advance in terms of effort and cost benefits. Cary and Jeff describe how its possible to analyse the issue and then identify the key business processes that are a problem and finally also identify the time saving that is possible with solutions (This is possible because what they are doing is analysing lost time in the processing of data - so that time is highlighted in detailed steps in the kernel source) and hence the cost benefit to the organisation. This is mind blowing when you consider previous efforts were based on trial and error. e.g. change this parameter and see if the program is faster... no... now change it back and then try another parameter instead... and so on.... with "method R" as described by the authors the tuning effort is acutely focused based on cost benefit to the business and the cost benefits of the possible solutions are known. Now if this breakthrough in tuning could be applied to penetration testing then the cost benefits for customers would be great. I would say also that anyone who could offer this service would be in a commanding position. Managers like to see costs and benefits..:-) It is like the difference between alchemy and science. Whether its possible to apply these ideas to penetration testing or not is difficult to know. Also I feel the solution would probably be technical as well as business related. In the Oracle book, the authors have developed perl scripts to apply the ideas and also utilize queuing theory in the solutions. I think ideas along this line would make a great project. Hope this helps Kind regards Pete -- Pete Finnigan (email:pete () petefinnigan com) Web site: http://www.petefinnigan.com - Oracle security audit specialists Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html Book:Oracle security step-by-step Guide - see http://store.sans.org for details.
Current thread:
- Research on penetration testing? Ole Martin Dahl (Dec 13)
- Re: Research on penetration testing? Marco (Dec 13)
- RE: Research on penetration testing? Harshul Nayak (Dec 16)
- <Possible follow-ups>
- Re: Research on penetration testing? H Carvey (Dec 13)
- RE: Research on penetration testing? Rishi Pande (Dec 13)
- Re: Research on penetration testing? Gareth Davies (Dec 14)
- Re: Research on penetration testing? Pete Finnigan (Dec 15)
- Re: Research on penetration testing? leonardo (Dec 15)
- Re: Research on penetration testing? SecurIT Informatique Inc. (Dec 16)
- RE: [in] Re: Research on penetration testing? Curt Purdy (Dec 20)
- RE: Research on penetration testing? Rishi Pande (Dec 13)