Penetration Testing mailing list archives

RE: 3rd party vuln assesment firms

From: "Erin Carroll" <amoeba () amoebazone com>
Date: Tue, 27 Dec 2005 22:16:25 -0800

I love it when vendors make claims such as this;

"A Hacker's Eye View of Your Network"

and even better;

"We use the same tools hackers bring to bear against your systems.
However, instead of exploiting those vulnerabilities, we 
compile vulnerability results with easy to understand 
explanations and links to the needed patches and updates, and 
then deliver the reports to your desktop on a regular basis. "

So in other words they run NMap and/or Nessus.

Yup... h4x0rs eye view.  ROFL.


Nmap.. Okay you have a point as it realy only identifies what is open.
Nessus on the other hand is a happy medium where you can poke at the
openings to see what happens. Not all organizations have the in-house
security expertise to perform security audits and Nessus (along with other
similar tools such as the Metasploit framework, Core Impact, etc) is one of
the better tools out there to perform relatively in-depth scans of your
infrastructure. No, it doesn't take a lot of skill to run a tool but
interpreting the results, winnowing out the false positives, and knowing
which of the issues found is relevant and important (and how to address
them) is where the skill and knowledge is important.

Is it truly a hacker's view of your network? Sure... for a certain level of
hacker. Is it Uber l337? No. However, not many businesses need (or can
afford) the kind of in-depth analysis and expertise you'd find at the upper
level of the industry. Code auditing, custom-written NASL exploit packages,
deep understanding of the intricate details of each application... These are
great if you can afford it or absolutely must have it. But past a certain
point you face diminishing returns and you have to decide at which point it
is secure "enough".

The more experience I've gained in security, the more I need to learn.
Looking back I can see how naïve my concept of security was when I started
and I can only imagine what I'll think of my skills now in 10 years. At some
point we were all script kiddies using tools written by others. Eventually
you learn to write your own and use the existing tools out there to their
fullest potential. But the old adage still remains true: The only truly
secure system is one encased in cement and sunk to the botom of the ocean...
And even then I'm making no guarantees. :)


-Erin Carroll
Moderator
SecurityFocus pen-test list


On 12/27/05, Michael Weber <mweber () alliednational com> wrote:

Happy New Year!

I have been using both the internal and external vuln. assessment 
products from NetChecker.  They use an array of standard

tools, along

with some custom code and human analysis.  I like the product, the 
price, and the results.

www.netchecker.net is their web site.

-Michael

<rklemaster () hotmail com> 12/23 11:27 AM >>>

I'm looking for a firm to conduct annual 3rd party vulnerability 
assesments for a nationwide carrier ISP. If anyone has any

references

or stories to share, I'd like to hear about them.
thanks!




E-MAIL CONFIDENTIALITY NOTICE: This communication and any associated
file(s) may contain privileged, confidential or proprietary 
information or be protected from disclosure under law

("Confidential

Information").  Any use or disclosure of this Confidential 
Information, or taking any action in reliance thereon, by any 
individual/entity other than the intended recipient(s) is strictly 
prohibited.  This Confidential Information is intended

solely for the

use of the
individual(s) addressed. If you are not an intended recipient, you 
have received this Confidential Information in error and have an 
obligation to promptly inform the sender and permanently

destroy, in

its entirety, this Confidential Information (and all copies

thereof).

E-mail is handled in the strictest of confidence by Allied

National,

however, unless sent encrypted, it is not a secure communication 
method and may have been intercepted, edited or altered during 
transmission and therefore is not guaranteed.

----------------------------------------------------------------------

-------- Audit your website security with Acunetix Web

Vulnerability

Scanner:

Hackers are concentrating their efforts on attacking

applications on

your website. Up to 75% of cyber attacks are launched on shopping 
carts, forms, login pages, dynamic content etc. Firewalls, SSL and 
locked-down servers are futile against web application

hacking. Check

your website for vulnerabilities to SQL injection, Cross

site scripting and other web attacks before hackers do!

Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831

----------------------------------------------------------------------

---------


--------------------------------------------------------------
----------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking 
applications on your website. Up to 75% of cyber attacks are 
launched on shopping carts, forms, login pages, dynamic 
content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website 
for vulnerabilities to SQL injection, Cross site scripting 
and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
--------------------------------------------------------------
-----------------

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.8/215 - Release 
Date: 12/27/2005


-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.8/215 - Release Date: 12/27/2005
 


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Current thread:

Re: 3rd party vuln assesment firms, (continued)
- Re: 3rd party vuln assesment firms Erin Carroll (Dec 23)
  - Re: 3rd party vuln assesment firms Ivan Arce (Dec 23)
    - Re: 3rd party vuln assesment firms neal wise (Dec 24)
  - Re: 3rd party vuln assesment firms raven (Dec 27)
    - Re: 3rd party vuln assesment firms Roland Dobbins (Dec 27)
    - RE: 3rd party vuln assesment firms Chris Serafin (Dec 28)
- Re: 3rd party vuln assesment firms Byron Sonne (Dec 23)
- RE: 3rd party vuln assesment firms Wray, Donald W (Dec 26)
- Re: 3rd party vuln assesment firms Michael Weber (Dec 27)
  - Re: 3rd party vuln assesment firms InfoSecBOFH (Dec 27)
    - RE: 3rd party vuln assesment firms Erin Carroll (Dec 27)
    - RE: 3rd party vuln assesment firms Nathan (Dec 28)
- Re: 3rd party vuln assesment firms rklemaster (Dec 27)
  - RE: 3rd party vuln assesment firms Erin Carroll (Dec 27)
- FW: 3rd party vuln assesment firms Adrian Chiang (Dec 28)
  - Re: FW: 3rd party vuln assesment firms Peter Wood (Dec 29)