Penetration Testing mailing list archives
Re: Penetration tester or Ethical hacker future?
From: David Jacoby <security () outpost24 com>
Date: Thu, 30 Aug 2007 12:36:05 +0200
IRM wrote:
Now the question, I really want to know what is your thought on where the penetration testing market is going? Will the penetration tester job description will change over time because of the evolution of automated tools?
I think the automated vulnerability scanning market is going to grow alot, it is the most cost effective way to determine if you are vulnerable against common known vulnerabilities. It is not used to eliminate att vulnerability, but as a verification tool. By using these automated tools it also helps the user(s) to manager their security issues. I dont see it as a replacement to a manual penetration test, but i actually see manual penetration tests to be a compliment to automated vulnerability scanning.
Do you think it's worth the effort to train and keep people in the company for doing pen testing? What I mean by this is say - an average skill penetration testing costs say 60k/year + 20k of automated tools = 80k/year -> can deliver quality say 70% VS - someone with highly skilled that cost to the organization 150k whilst can deliver quality say 90% If at the end COMPLIANCE is still the main driving for penetration testing. Should we say Quality is the 2nd priority?
First of all i think its strange that you "teach" people to do penetration test. People who do it should do it because they love doing it, i personally look at is as a art form. Everyone can use tools such as CORE Impact, Nessus or backtrack but not everyone can be a good penetration tester. When people as us at Outpost24 about this we often say that automated vulnerability scanning is not a replacement for manual penetration tests. A manual penetration test is maybe performed 2 or at max 4 times in a year at a company, they will hopefully find almost all the vulnerabilities and report them back to the client, the problem is that the day after they leave new vulnerabilities are released and may result in that the company that just spent 60k have one of their machines compromised they day after the pentest team reported their findings. Automated vulnerability scanning should be used on a weekly basis to reduce the risk of getting attacked by new vulnerabilities and as a compliment to automated tools a pentest team should come in and do a more deep test and maybe also verify the findings from the automated tool. It is also important to understand that a manual pentest team may find vulnerabilities which has not been found yet, especially if a client may use home brew inhouse applications.
The reason why I asked this question is because I notice that Virus Analyst position only available if you are working in the Anti-virus Vendor such as Mcafee, Symantec, etc While Big organization usually employ Anti-virus administrators as opposed to Virus Analyst? I strongly believe the reason for this is because Anti-virus market has matured and people are more and more relying on Anti-virus Software. Has anti-virus software solved the problem? No of course, since there still many new viruses coming out every second. I am not sure this is the correct analogy or not but I hope you get the point.
Anti viruses are almost not needed today, most viruses are spread via known vulnerabilities and not via floppy discs etc as it used to be. Another big problem is that people are starting to find vulnerabilities in so called "security software" that is installed to prevent attackers but actually does the opposit, they increase the attack surface. Best regards, David Jacoby -- David Jacoby Vice President Customer Experience http://www.outpost24.com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Auditing microsoft IIS 5/6.0 Nikolaj (Aug 28)
- Re: Auditing microsoft IIS 5/6.0 Nikhil Wagholikar (Aug 28)
- Penetration tester or Ethical hacker future? IRM (Aug 29)
- Re: Penetration tester or Ethical hacker future? David Jacoby (Aug 30)
- RE: Penetration tester or Ethical hacker future? Paul Melson (Aug 30)
- Re: Penetration tester or Ethical hacker future? Nikos Tsagarakis (Aug 31)
- RE: Penetration tester or Ethical hacker future? Paul Melson (Aug 31)
- Penetration tester or Ethical hacker future? IRM (Aug 29)
- Re: Auditing microsoft IIS 5/6.0 Nikhil Wagholikar (Aug 28)
- Re: Auditing microsoft IIS 5/6.0 rajat swarup (Aug 29)
- Re: Auditing microsoft IIS 5/6.0 Ivan . (Aug 30)
- Re: MS Access injection Gichuki. John (Aug 30)