Penetration Testing mailing list archives
RE: Why Penetration Test?
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Thu, 16 Jun 2005 01:49:30 -0700
Just a quick note for list members from your friendly Moderator: Pete makes some excellent points in this email regarding how to address security/business process failures in reports but please bear in mind that most ethical questions/discussions are considered inappropriate to the list (they tend to get bogged down in ideology and flamefests after a while). I don't particularly forsee that happening here but am giving a heads-up as a reminder. Snipped from the pen-test list charter: 0.1.3 What is inappropriate content? * Ethics or morality discussions. This list will facilitate discussions not for the weak of heart. Its goal is to provide information to people who are professionals or whose job demands they must break into computers. If you have a moral or ethical dilemma around this topic please do not sign up to the list. Erin Carroll "Do Not Taunt Happy-Fun Ball"
-----Original Message----- From: Pete Herzog [mailto:lists () isecom org] Sent: Thursday, June 16, 2005 1:19 AM To: pen-test () securityfocus com Cc: intel96; julie.holmwood () securityfocus com Subject: Re: Why Penetration Test? Hi,intel96 wrote: One question I have not seen yet concerning is why PenTest is: Tojustify your job and a budget. It's not uncommon to meet ethical challenges on any job. Fudging data to meet your economic gains or to help someone else do so always becomes a harder decision when the economic gains increases. The argument is also true that if yu don't help them achieve their goals then they will find someone else who will as the world is full of financially rewarded yet ethically-challenged people. And business is business, right? And it's not like you're a doctor, right? I just finished the Foreword to a college textbook focused heavily on OSSTMM Security Testing due out in September/October from Thomson Learning where I challenge this notion as a non-personal one because we are all reliant on each other when it comes to security (unless you happily spend your days out of the sun in your deep, self-sustaining bomb shelter). A small quote so I don't have to put forward the challenge again: "We are all victims of other people's bad security decisions all the time. At best it's just the inconvenience of the security guard checking our receipt as we leave the store. At worst, there's no limit to the annoyances, inconveniences, problems, deaths, and destruction that can result. I don't want to be in that position where I failed to open your eyes to the problem only to have it become my problem. I don't know where any of you will be in 5 or 10 years but I'm sure even if you are not a security professional you will have the ability to affect security in my life through commentary, decision, vote, or inaction."Now the biggest questions that I get from the customer is how did youbypass by filters (IDS, IPS) and I need you to >rewrite the final report so I can obtain more funding.........to buy more security and hire more people.....the biggest hole >that I found was the lack of security internal process. These things require leadership to fix not more funding!!!!!!!!! >How do you state that in a report? By pointing out the processes which failed rather than the equipment. Analysis will show the clear cause and effect in many of these situations and while it may be leadership, you may have more success by building a case but stops short of finger-pointing unless you really know 100% that it is leadership alone that causes the problems. Base your report on facts and objective analysis of those facts.So IMHO every project is different based on the customer'sneeds (more funding and more head count). The other issue is >how to set the clowns apart from the professionals, which is becoming harder to do because there are more clowns and not >enough professional and the clowns are hurting the rest of us.... Every project is different but how much you are willing to sell your compromised integrity for should be static. Treat every project like it's the one you may be remembered for and try to make sure you're clear with yourself and your company what exactly you want to be remembered for. If you want to be different from the clowns then you can't let economic gain differentiate for you. The sad truth is that there's a lot of rich clowns with wonderful lives. Sincerely, -pete. -- Pete Herzog - Managing Director - pete () isecom org ISECOM - Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org ------------------------------------------------------------------- ISECOM is the OSSTMM Professional Security Tester (OPST), OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool Teacher certification authority.
Current thread:
- Re: Re: Why Penetration Test?, (continued)
- Re: Re: Why Penetration Test? tarunthenut (Jun 13)
- Re: Why Penetration Test? Terry Vernon (Jun 13)
- Re: Why Penetration Test? Gareth Davies (Jun 13)
- Re: Why Penetration Test? Tarun The Nut (Jun 14)
- Re: Why Penetration Test? Gareth Davies (Jun 14)
- Re: Why Penetration Test? intel96 (Jun 16)
- AW: Why Penetration Test? Jörg Maaß (Jun 16)
- Re: Why Penetration Test? R. DuFresne (Jun 16)
- Re: Why Penetration Test? rmeijer (Jun 17)
- Message not available
- Re: Why Penetration Test? Pete Herzog (Jun 16)
- RE: Why Penetration Test? Erin Carroll (Jun 16)
- Re: Re: Why Penetration Test? tarunthenut (Jun 13)
- Re: Why Penetration Test? Pete Herzog (Jun 13)
- Re: Why Penetration Test? intel96 (Jun 30)