Penetration Testing mailing list archives
Re: Pentesting vs VA - was Pentesting tool - Commercial
From: "Robert E. Lee" <robert () outpost24 com>
Date: Thu, 28 Feb 2008 11:52:05 +0100
On Wed, 2008-02-27 at 16:48 -0700, Andre Gironda wrote:
Using exploits on production or IT networks is unethical. This isn't the wild west. You're overpaying by about $19K-$26K for what you need when you go with Core Impact. I don't know about ya'll, but the idea of propagating a pseudo-worm through a corporate network seems about as good of an idea as asking the power company to shut off electricity to a hospital for "just a minute, to see what will happen".
When using exploits against production systems, in the best case scenario you've altered the running state of production software. In the worst case, you've corrupted data or caused a loss of service. Most of us have accepted these potential outcomes as normal during a manual penetration test. The concern companies should have with the exploit frameworks is that many of their users don't understand what the tool is doing. The users also don't understand what the exploit is affecting. These tools can be disastrous in the wrong hands. A better use of time for most companies would be to use a thorough vulnerability assessment and management solution. VAM solutions can: * Identify new vulnerabilities - far more than an exploit framework * Assign vulnerability related tasks to the responsible Sys Admins * Allow for retesting of the device/vulnerability to ensure the it was properly mitigated * Show trending over time Our customers value their ability to actually improve their situation over their ability "Pwn" the systems they already own. Robert -- Robert E. Lee Chief Security Officer Outpost24 - One Step Ahead http://www.outpost24.com SE Phone: +46 455-61-2320 US Phone: +1 801-924-5902 email: robert () outpost24 com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- RE: Pentesting tool - Commercial, (continued)
- RE: Pentesting tool - Commercial Ramki B (Feb 26)
- Re: Pentesting tool - Commercial Andre Gironda (Feb 26)
- RE: Pentesting tool - Commercial Ramki B (Feb 26)
- RE: Pentesting tool - Commercial Foster, Matt (Feb 25)
- RE: Pentesting tool - Commercial Ramki B (Feb 26)
- Re: Pentesting tool - Commercial Andre Gironda (Feb 26)
- Re: Pentesting tool - Commercial Erin Carroll (Feb 27)
- Re: Pentesting tool - Commercial Trygve Aasheim (Feb 27)
- Re: Pentesting tool - Commercial Andre Gironda (Feb 27)
- Re: Pentesting tool - Commercial Trygve Aasheim (Feb 28)
- Re: Pentesting tool - Commercial Chris McNab (Feb 28)
- Re: Pentesting vs VA - was Pentesting tool - Commercial Robert E. Lee (Feb 28)
- RE: Pentesting tool - Commercial Ramki B (Feb 26)
- AW: Pentesting tool - Commercial puppe (Feb 27)
- RE: Pentesting tool - Commercial Ferris, Joe (Feb 27)
- RE: Pentesting tool - Commercial Trygve Aasheim (Feb 25)
- Re: Pentesting tool - Commercial Terry Cutler (Feb 25)