Re: we are security critics was: Re: Using 0days as part of pen-test?

[David Howe <DaveHowe.Pentest () googlemail com>]

Pete Herzog wrote:
> Hi,
>
> > 0-day tests, by definition, cannot test anything other than the 
> > quality of the anomaly-based detection system. 
>
> I'm unaware of this definition and I think it may be flawed. A 0-day, 
> we can say is an undocumented vulnerability and as such not widely 
> known. Without thorough testing, we err on the side that every piece 
> of software may have undocumented vulnerabilities which may or may not 
> currently be known to someone. 

I suppose a lot depends on the "goal" of the pentest.

If the goal is to penetrate the network (which would of course be the
goal of a real attacker) then everything is fair game.

If the goal is to evaluate the security posture of the network for
compliance purposes, then what you are really testing is that best
common practice and regular patching is taking place - and given an 0day
by definition can't be guarded against by that process, it would give
different results to what is desired.

If you consider both those to be extreme positions (and of course they
are) then a valuable lesson can be learned from the use of an 0day - the
use and watching of logs, the general security posture to defend against
single points of failure, the reaction of the staff to attack... And
yet, many professional pentests are unrealistic in this regard anyhow;
they demand exemption from IDS/IDP systems, special passage though
firewalls normally granted only to specific ips, high speed access to
the outside interface of security boundaries normally only accessible
via internet bandwidth, and so forth. The point made earlier (that by
the process of Responsible Disclosure, the white-hat holder of an 0day
feels obliged to not spread knowledge of it further until the vendor has
had an opportunity to patch) is also an issue - if you use your 0day for
testing, you are risking analysis of the logfiles showing what you did
and the knowledge escaping that way.