Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

External Pentests Obsolete?

From: "Yiannis Koukouras" <d4rw1n () linuxmail org>
Date: Thu, 9 Aug 2007 07:18:36 +0000
Hi all,

Do you think that an external infrastructure pentest is nowadays obsolete?

What I want to say is that, most of the serious companies nowadays will only have a few servers on their DMZ (web 
server, mail server, SSL concentrator, terminal server, citrix) and will only allow access to one or two ports for each 
of them. The rest of the infrastructure (excluding the internet facing router and firewall) will be completely 
inaccessible.

Thus, if web application testing is out of scope, there isn’t much to test, is it? Only half a dozen of services to 
check vulnerabilities and misconfiguration, check if mail rely is on, make a password bruteforce attack(?), check that 
the DNS can’t be poison and VOILA! You have finished!

Do you think that it is ethical to consult our clients to “buy” an external pentest anymore?

P.S. If I am wrong, PLEASE prove me wrong!

-- 
Ioannis Koukouras
CISSP
MSc in Computer Systems Security
BEng in Electronic Engineering
http://www.linkedin.com/in/ikoukouras 

=
Cruise Value Center - Mexico Cruises
Cruise Value Center is one of America's leading discount brokers on Mexican cruises. Let our experts help you choose 
the cruise vacation package that will meet your budget and lifestyle.
http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=83149e4a674877039cb5c210b2445439


-- 
Powered by Outblaze

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: