Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Verify Your Security Provider -- The truth behind manual testing.

From: Tim <tim-pentest () sentinelchicken org>
Date: Fri, 17 Jul 2009 10:20:00 -0700

Hi Adriel,

I agree with the vast majority of what you're saying.  I work as an
application penetration tester, amongst other things, and the crew I
work with is very hands-on.  On numerous occasions I've performed
testing on environments that had previously been tested by other
vendors, only to find dozens of vulnerabilities that they hadn't found
because of the problems you mention with highly automated testing.

However, I take issue with this:


      • Ask them for the names of their security experts and then use tools  
like Google, LinkedIn, Facebook and PIPL to do research on those  
experts. If nothing comes up then chances are their experts aren’t  
experts at all.


Do I really need a Facebook page to be a security expert?  There are
plenty of very sharp testers out there who don't relish the lime light
and don't spend their free time blogging about the little hacks they
found this week.  Also, many might post under pseudonyms to help
separate their private research activities from work-related ones.

That's not to say doing background research on their consultants isn't
useful, but you can't rely on experts always showing off their stuff.

tim


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: