Penetration Testing mailing list archives
Re: Penetration tester or Ethical hacker future?
From: Nikos Tsagarakis <n.tsagarakis () innova-sa gr>
Date: Fri, 31 Aug 2007 11:41:55 +0300
Paul Melson wrote:
Now the question, I really want to know what is your thought on where thepenetration testing market is going? I'd say that the pen-test market as we know it today has another 5-10 years on its feet thanks to regulations like PCI. Eventually companies will lose interest for any number of potential reasons: 1. They figured out Internet service security and got bored with empty reports. 2. They bought a scanner and brought it all in house. (Nessus runs on Windows now!) 3. They get owned despite clean pen-test reports and now think it's a waste of money.
I do not believe that penetration testing is a waste of money. My approach is that we perform penetration testing to find the riskiest attack path that a malicious user should follow... As for the previous post "what we are selling? with penetration testing".... we offer to the client's organization the oportunity to test their system's security against an attack that is similar to a really malicious offender. To do this you need to exploit vulnerabilities.. to exploit vulnerabilities you need skilled persons to do the job who cost alot... this is why the market may require an approach of the vulnerability assesment closer to penetration testing (done by automated tools) which is cheaper. So the deduction of the above is that pen-test probably will never die and will probably not be replaced by automated tools.
This will leave pen-testers to fight over the emerging security QA market. Instead of pen-testing a company's network, you'll pen-test their product. In its early stages, this will separate the men from the boys, so to speak. But eventually black/grey box testing tools like fuzzers and debuggers will get slick GUI's and scripted test suites, too.Will the penetration tester job description will change over time becauseof the evolution of automated tools? It already has. It's a done deal. Any pen-test shop that tells you they don't use ISS, Nessus, Rapid7, or Qualys is lying. The good shops hire good people and write custom tools in addition to the commercial scanners. The bad ones just overcharge for a pretty binder. Unfortunately, the bad outnumber the good 10:1.Do you think it's worth the effort to train and keep people in the companyfor doing pen testing? What I meanby this is say - an average skill penetration testing costs say 60k/year +20k of automated tools = 80k/year-> can deliver quality say 70% VS - someone with highly skilled that costto the organization 150k whilst candeliver quality say 90% If at the end COMPLIANCE is still the main drivingfor penetration testing.Should we say Quality is the 2nd priority?Only if organizationally compliance is the first priority, which it shouldn't be, but often is. Most companies do not benefit from having a Dave Aitel or Dan Kaminsky on their internal staff. It makes more sense to hire them to beat up on the new stuff and/or the important stuff and supplement that work with cheaper scanning-tool based work done in-house.The reason why I asked this question is because I notice that VirusAnalyst position only available if you areworking in the Anti-virus Vendor such as Mcafee, Symantec, etc While Bigorganization usually employ Anti-virus administrators as opposed to Virus Analyst? I strongly believe thereason for this is because Anti-virusmarket has matured and people are more and more relying on Anti-virusSoftware. Has anti-virus software solvedthe problem? No of course, since there still many new viruses coming outevery second. I am not sure this isthe correct analogy or not but I hope you get the point.Actually, I think it's a pretty good analogy. AV software and vulnerability scanners work very similarly. They look for known patterns either in recorded data or system behavior. And there are big detection gaps in both of these approaches that, for now at least, can only be covered by talented hands.
How an automated tool can predict all the probable combinations of attacks that a skilled penetration tester will choose to perform ( i have already use CORE Impact....).
PaulM ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
-- --------------------------------------------- Nikos Tsagarakis Technical Information Security Consultant INNOVA S.A. http://www.innova-sa.gr --------------------------------------------- ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Auditing microsoft IIS 5/6.0 Nikolaj (Aug 28)
- Re: Auditing microsoft IIS 5/6.0 Nikhil Wagholikar (Aug 28)
- Penetration tester or Ethical hacker future? IRM (Aug 29)
- Re: Penetration tester or Ethical hacker future? David Jacoby (Aug 30)
- RE: Penetration tester or Ethical hacker future? Paul Melson (Aug 30)
- Re: Penetration tester or Ethical hacker future? Nikos Tsagarakis (Aug 31)
- RE: Penetration tester or Ethical hacker future? Paul Melson (Aug 31)
- Penetration tester or Ethical hacker future? IRM (Aug 29)
- Re: Auditing microsoft IIS 5/6.0 Nikhil Wagholikar (Aug 28)
- Re: Auditing microsoft IIS 5/6.0 rajat swarup (Aug 29)
- Re: Auditing microsoft IIS 5/6.0 Ivan . (Aug 30)
- Re: MS Access injection Gichuki. John (Aug 30)