Penetration Testing mailing list archives
RE: My Frustrations
From: "Alex Eden" <Alex.Eden () senet-int com>
Date: Fri, 19 Dec 2008 15:13:48 -0500
I think pen testers that work without good business developers are probably the most frustrated ones... It is not enough to know how to write an exploit and wreck havoc on a network - here, in the States at least, your team needs to have business acumen and ability to start, develop, and maintain good client relationship. Just being a kewl super-duper hacker/cracker/pen tester won't get anyone far. The industry is sort of self-regulated now, and I strongly believe it should remain self-regulated. A good salesman can sell lame security appliance. Good business developer can always sell his lame pen testers. In the federal government community CISOs and contracting officers talk to each other and prefer to work with vendors that have good reputation. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Adriel T. Desautels Sent: Friday, December 19, 2008 9:51 AM To: suess13 Cc: 'security curmudgeon'; 'pen-test list' Subject: Re: My Frustrations Not if you know a thing about exploiting bugs. On Dec 19, 2008, at 8:47 AM, suess13 wrote:
IMO or In my Opinion, Isn't that like asking what the significance of DLP? It all depends on the context of which the question was asked. DLP could mean Digital Light Processing or Data leakage prevention. EIP may refer to: Economically inactive population Enterprise information portal, a type of web portal Eco-industrial park, a type of industrial park Extended Instruction Pointer, an address register in the IA-32 architecture Xerox's Extensible Interface Platform, a software platform upon which developers can create server-based applications that can be configured for a multifunction printer's touch-screen interface South Carolina Employee Insurance Program. Or how about the Significance of CUA. CUA Catholic University of America CUA Common User Access CUA Canadian Urological Association CUA Cost Utility Analysis CUA Certified Usability Analyst CUA Clean Up Australia CUA Commonly Used Acronym CUA Center for Ultracold Atoms CUA Credit Union Atlantic (Nova Scotia, Canada) CUA Commercial Use Authorization CUA Compassionate Use Act of 1996 (California) CUA Centralized User Administration (Nortel) CUA Certified Urologic Associate (nursing) CUA Circuit Unit Assembly CUA Carrier Utilization Agreement CUA Co-Utilization Agreement CUA Catholic University of Angola CUA CU Aerospace (Champaign, Illinois) CUA Combat Useable Asset CUA Computer User Access CUA Connection Update Acknowledge CUA Cross-, Up-Selling and Accessories Products (SAP Internet Sales Web-Shop) CUA Communications Unit Automation CUA Certified Unix Administrator CUA Cisco Unity Assistant -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com ] On Behalf Of Adriel T. Desautels Sent: Thursday, December 18, 2008 10:46 AM To: security curmudgeon Cc: pen-test list Subject: Re: My Frustrations Amen brother! I do particularly agree about the certification comment that you've made. I frequently run into people who are certified with all sorts of goodies, but then when I ask them a simple question like "What is the significance of the EIP?" they respond with "What's an EIP?". Can I post your comment on the blog, or maybe you can do it? On Dec 18, 2008, at 10:35 AM, security curmudgeon wrote:: I recently wrote this blog entry and wanted to get some comments from : readers of this list. I'm frustrated with the caliber of the people that : are offering security services and posing as experts, thats the subject : of the post. Please comment, insult, whatever... I'm interested. : : http://snosoft.blogspot.com/ You are preaching to a (very small) choir here. The kind of choir where everyone thinks they are a part of. First, this problem isn't new [1]. The industry has had its fair share of charlatans and frauds over the years. In the last five years, the number of posts to this list and others is bordering on absurd, that start out with "i've been [hired|told|contracted] to do a pen test of our [network|application|physical] security, where do i begin?" Many of the posts are done from gmail accounts that have no obvious association with a name or company, for obvious reasons. Second, the number of times you see these questions come from 'certificed' professionals is silly. I frequently get forwards from lists full of CISSPs that post this kind of question, begging the world to wonder why anyone thinks that certification holds water. If not certified, from people with 'security' and/or 'engineer' in their official title. Some posts suggest a company decided to tell a junior analyst to do a full blown pen-test, likely to save a few bucks. Others, the wannabe- pentester is definitely over eager and grossly exaggerating their claims of being qualified. Last, it's only going to get worse. - jericho [1] http://attrition.org/errata/Adriel T. Desautels ad_lists () netragard com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Adriel T. Desautels ad_lists () netragard com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Re: My Frustrations, (continued)
- Re: My Frustrations M.B.Jr. (Dec 19)
- RE: My Frustrations Baykal, Adnan (CSCIC) (Dec 19)
- RE: My Frustrations Erin Carroll (Dec 19)
- Re: My Frustrations M.B.Jr. (Dec 19)
- Re: My Frustrations H D Moore (Dec 18)
- Re: My Frustrations Nick Besant (Dec 18)
- RE: My Frustrations THOMAS, DEDRIC (ATTCLSMA) (Dec 18)
- Re: My Frustrations Nick Besant (Dec 18)
- Re: My Frustrations security curmudgeon (Dec 18)
- Re: My Frustrations Adriel T. Desautels (Dec 18)
- RE: My Frustrations suess13 (Dec 19)
- Re: My Frustrations Adriel T. Desautels (Dec 19)
- RE: My Frustrations Alex Eden (Dec 19)
- RE: My Frustrations Nick Vaernhoej (Dec 19)
- Re: My Frustrations Adriel T. Desautels (Dec 18)
- Message not available
- Re: My Frustrations Pete Herzog (Dec 21)
- RE: My Frustrations Shenk, Jerry A (Dec 18)
- Re: My Frustrations tony_l_turner (Dec 18)
- Re: My Frustrations Adriel T. Desautels (Dec 19)
- Re: My Frustrations Roman Medina-Heigl Hernandez (Dec 23)
- Re: My Frustrations Adriel T. Desautels (Dec 23)