Penetration Testing mailing list archives
Re: Pentesting tool - Commercial
From: "Andre Gironda" <andreg () gmail com>
Date: Wed, 27 Feb 2008 16:48:09 -0700
On Wed, Feb 27, 2008 at 1:38 PM, Trygve Aasheim <trygve () pogostick net> wrote:
This doesn't mean I don't like or use Metasploit, Canvas or any other...I just want to point out that the quality of a product is not based a number, and Core Impact has proven its quality many times, and in many ways.
The numbers show that Core Impact is superior to Canvas and Metasploit. Unfortunately, it also shows that Impact is missing quite a lot. The point I was trying to make is that you can't use only one exploitation engine. However, I also fail to see the point of using an exploitation engine except in the case of testing IPS/IDS or similar. In this case, anyone would clearly be better off using BreakingPoint Systems BPS-1000. Using exploits on production or IT networks is unethical. This isn't the wild west. You're overpaying by about $19K-$26K for what you need when you go with Core Impact. I don't know about ya'll, but the idea of propagating a pseudo-worm through a corporate network seems about as good of an idea as asking the power company to shut off electricity to a hospital for "just a minute, to see what will happen". Instead of RPT, I suggest asset management combined with regular, good-old fashioned vulnerability scanning. Most of the "experts" I know don't even understand the difference between a vulnerability and an exploit. More of those people don't even understand how unreliable exploits usually are (let alone scanning errors in vulnerability-only scanners). Core already lied once on this list about how many modules vs. exploits vs. CVE's they support. They could make anything up. The money numbers do not lie. Compare to Rapid7, Tenable, Lumension, or McAfee for yourself. If you have to raise awareness by running live exploits, try Metasploit. It's free. Management still not convinced? Already covered all the Metasploit exploits? Try Canvas, it's cheap. Management still not convinced? Already covered the Canvas exploits, too? Add an exploitation pack or two. Start writing your own exploits. Management still not convinced? Already covered all of the Canvas exploitation packs and started writing your own in-house exploits specific to your architecture? Maybe Core Impact will help; call them for a demo. I have no idea why people are so quick to jump to Core Impact first. You can't just throw money at these types of problems. Security is a very careful and gradual process. Cheers, Andre ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Pentesting tool - Commercial bramkie (Feb 21)
- Re: Pentesting tool - Commercial Andre Gironda (Feb 25)
- RE: Pentesting tool - Commercial Ramki B (Feb 26)
- Re: Pentesting tool - Commercial Andre Gironda (Feb 26)
- RE: Pentesting tool - Commercial Ramki B (Feb 26)
- RE: Pentesting tool - Commercial Foster, Matt (Feb 25)
- RE: Pentesting tool - Commercial Ramki B (Feb 26)
- Re: Pentesting tool - Commercial Andre Gironda (Feb 26)
- Re: Pentesting tool - Commercial Erin Carroll (Feb 27)
- Re: Pentesting tool - Commercial Trygve Aasheim (Feb 27)
- Re: Pentesting tool - Commercial Andre Gironda (Feb 27)
- Re: Pentesting tool - Commercial Trygve Aasheim (Feb 28)
- Re: Pentesting tool - Commercial Chris McNab (Feb 28)
- Re: Pentesting vs VA - was Pentesting tool - Commercial Robert E. Lee (Feb 28)
- RE: Pentesting tool - Commercial Ramki B (Feb 26)
- Re: Pentesting tool - Commercial Andre Gironda (Feb 25)
- AW: Pentesting tool - Commercial puppe (Feb 27)
- RE: Pentesting tool - Commercial Ferris, Joe (Feb 27)
- <Possible follow-ups>
- Re: Pentesting tool - Commercial Yousif (Feb 22)
- RE: Pentesting tool - Commercial Trygve Aasheim (Feb 25)
- Re: Pentesting tool - Commercial Terry Cutler (Feb 25)
- RE: Pentesting tool - Commercial Trygve Aasheim (Feb 25)