Penetration Testing mailing list archives

Re: My Frustrations

From: Nick Besant <lists () hwf cc>
Date: Thu, 18 Dec 2008 20:57:53 +0000

H D Moore wrote:

On Wednesday 17 December 2008, Adriel T. Desautels wrote:
I recently wrote this blog entry and wanted to get some comments from
readers of this list. I'm frustrated with the caliber of the people
that are offering security services and posing as experts, thats the
subject of the post. Please comment, insult, whatever... I'm
interested.
I agree with it for the most part - half the questions posed to this listwould immediately disqualify the person as an expert, let alone aprofessional. The experienced folks tend to just post announcements orreply back to the former group. I would love to see this list turn backinto real discussions of pen-testing challenges, but publicly asking forhelp on a job as reputation-centric as pen-testing carries a stigma of itsown. The last thing you want a potential client to see is your lead pen-
tester asking for help on a SQL injection vulnerability.

I really don't see a way forward.

-HD

I think an important issue is that many of the people posting thosequestions to the list are failing to avoid the trap of performing purelysubjective assessments. Pen-testing still retains some aspects of ablack art to many, including clients; as tools and "for dummies" guidesproliferate and such tools become easier to use, it becomes easy forthose with minimal experience to put forth a seemingly convincing salespitch.This includes established professional services organisations andconsultancies as well as smaller establishments; I have seen reportsfrom these organisations that are very much the reformatted Nessusoutput referred to in earlier responses.With this in mind I agree that there is no obvious way forward - unlesssome useful, international, easy-to-use, low-cost regulatory body wereto suddenly pop into existence, perhaps.


--
Nick




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

Current thread:

Re: My Frustrations Step Two, (continued)
- - - Re: My Frustrations Step Two Paul Melson (Dec 19)
    - Re: My Frustrations Step Two Adriel T. Desautels (Dec 19)
  - Re: My Frustrations security curmudgeon (Dec 18)
  - Re: My Frustrations M.B.Jr. (Dec 18)
- Re: My Frustrations Alex Moen (Dec 18)
  - Re: My Frustrations Adriel T. Desautels (Dec 18)
  - Re: My Frustrations M.B.Jr. (Dec 19)
    - RE: My Frustrations Baykal, Adnan (CSCIC) (Dec 19)
    - RE: My Frustrations Erin Carroll (Dec 19)
- Re: My Frustrations H D Moore (Dec 18)
  - Re: My Frustrations Nick Besant (Dec 18)
    - RE: My Frustrations THOMAS, DEDRIC (ATTCLSMA) (Dec 18)
- Re: My Frustrations security curmudgeon (Dec 18)
  - Re: My Frustrations Adriel T. Desautels (Dec 18)
    - RE: My Frustrations suess13 (Dec 19)
    - Re: My Frustrations Adriel T. Desautels (Dec 19)
    - RE: My Frustrations Alex Eden (Dec 19)
    - RE: My Frustrations Nick Vaernhoej (Dec 19)
  - Re: My Frustrations Pete Herzog (Dec 20)
    - Message not available
    - Re: My Frustrations Pete Herzog (Dec 21)
- Re: My Frustrations Dotzero (Dec 18)

(Thread continues...)