Penetration Testing mailing list archives
Penetration tester or Ethical hacker future?
From: "IRM" <irm () iinet net au>
Date: Wed, 29 Aug 2007 19:12:54 +1000
Hi all, I had a thought and want to share with you all especially looking for feedback and suggestion. What do you guys think about penetration tester market? Most of you would be agreed that penetration testing market has became commodity. Moreover as a penetration tester, I agree that automated penetration testing tools like Core IMPACT, etc can never replace us as we still need to verify all the findings and identify false positive. Nothing wrong with those automated tools, I think really it's a great tool! A decent penetration tester would typically have a broad range of IT skills from Operating System, Network to Programming. I also need to mention that these broad range of skills are not something that you could gain by working for 2-3 years, I believe that a good penetration tester could gain these broad ranges of skill in at least 5 years? Maybe more or less depending the person I guess. So I would expect for a company to hire these kind of penetration testers they need to spend a little bit of cash for their wages. To sum up, I think a penetration tester or ethical hacker has highly technical skills. At the end of the day, Business is business. Who cares if you possess highly technical skills? The business and its people especially the C-executive level are only interested Whether your highly technical skill can bring more revenue or money to them? Right? It is interesting that the top major reason why business now days considering pen testing on its agenda is because of compliance and as part of risk management agenda rather than security wise they need it or fear of someone can break in. So I strongly believe COMPLIANCE is still the main reason for any vulnerability testing activities in the company. Now the question, I really want to know what is your thought on where the penetration testing market is going? Will the penetration tester job description will change over time because of the evolution of automated tools? Do you think it's worth the effort to train and keep people in the company for doing pen testing? What I mean by this is say - an average skill penetration testing costs say 60k/year + 20k of automated tools = 80k/year -> can deliver quality say 70% VS - someone with highly skilled that cost to the organization 150k whilst can deliver quality say 90% If at the end COMPLIANCE is still the main driving for penetration testing. Should we say Quality is the 2nd priority? The reason why I asked this question is because I notice that Virus Analyst position only available if you are working in the Anti-virus Vendor such as Mcafee, Symantec, etc While Big organization usually employ Anti-virus administrators as opposed to Virus Analyst? I strongly believe the reason for this is because Anti-virus market has matured and people are more and more relying on Anti-virus Software. Has anti-virus software solved the problem? No of course, since there still many new viruses coming out every second. I am not sure this is the correct analogy or not but I hope you get the point. Please advise and suggestions are all welcome. Cheers, Paul ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Auditing microsoft IIS 5/6.0 Nikolaj (Aug 28)
- Re: Auditing microsoft IIS 5/6.0 Nikhil Wagholikar (Aug 28)
- Penetration tester or Ethical hacker future? IRM (Aug 29)
- Re: Penetration tester or Ethical hacker future? David Jacoby (Aug 30)
- RE: Penetration tester or Ethical hacker future? Paul Melson (Aug 30)
- Re: Penetration tester or Ethical hacker future? Nikos Tsagarakis (Aug 31)
- RE: Penetration tester or Ethical hacker future? Paul Melson (Aug 31)
- Penetration tester or Ethical hacker future? IRM (Aug 29)
- Re: Auditing microsoft IIS 5/6.0 Nikhil Wagholikar (Aug 28)
- Re: Auditing microsoft IIS 5/6.0 rajat swarup (Aug 29)
- Re: Auditing microsoft IIS 5/6.0 Ivan . (Aug 30)
- Re: MS Access injection Gichuki. John (Aug 30)