Re: Pentesting tool - Commercial

["Andre Gironda" <andreg () gmail com>]

On Wed, Feb 27, 2008 at 1:38 PM, Trygve Aasheim <trygve () pogostick net> wrote:
>  This doesn't mean I don't like or use Metasploit, Canvas or any
>  other...I just want to point out that the quality of a product is not
>  based a number, and Core Impact has proven its quality many times, and
>  in many ways.

The numbers show that Core Impact is superior to Canvas and Metasploit.

Unfortunately, it also shows that Impact is missing quite a lot.  The
point I was trying to make is that you can't use only one exploitation
engine.

However, I also fail to see the point of using an exploitation engine
except in the case of testing IPS/IDS or similar.  In this case,
anyone would clearly be better off using BreakingPoint Systems
BPS-1000.

Using exploits on production or IT networks is unethical.  This isn't
the wild west.  You're overpaying by about $19K-$26K for what you need
when you go with Core Impact.  I don't know about ya'll, but the idea
of propagating a pseudo-worm through a corporate network seems about
as good of an idea as asking the power company to shut off electricity
to a hospital for "just a minute, to see what will happen".

Instead of RPT, I suggest asset management combined with regular,
good-old fashioned vulnerability scanning.  Most of the "experts" I
know don't even understand the difference between a vulnerability and
an exploit.  More of those people don't even understand how unreliable
exploits usually are (let alone scanning errors in vulnerability-only
scanners).

Core already lied once on this list about how many modules vs.
exploits vs. CVE's they support.  They could make anything up.  The
money numbers do not lie.  Compare to Rapid7, Tenable, Lumension, or
McAfee for yourself.

If you have to raise awareness by running live exploits, try
Metasploit.  It's free.  Management still not convinced?  Already
covered all the Metasploit exploits?  Try Canvas, it's cheap.
Management still not convinced?  Already covered the Canvas exploits,
too?  Add an exploitation pack or two.  Start writing your own
exploits.  Management still not convinced?  Already covered all of the
Canvas exploitation packs and started writing your own in-house
exploits specific to your architecture?  Maybe Core Impact will help;
call them for a demo.

I have no idea why people are so quick to jump to Core Impact first.
You can't just throw money at these types of problems.  Security is a
very careful and gradual process.

Cheers,
Andre

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------