Penetration Testing mailing list archives
Re: Verify Your Security Provider -- The truth behind manual testing.
From: Tim <tim-pentest () sentinelchicken org>
Date: Fri, 17 Jul 2009 10:20:00 -0700
Hi Adriel, I agree with the vast majority of what you're saying. I work as an application penetration tester, amongst other things, and the crew I work with is very hands-on. On numerous occasions I've performed testing on environments that had previously been tested by other vendors, only to find dozens of vulnerabilities that they hadn't found because of the problems you mention with highly automated testing. However, I take issue with this:
• Ask them for the names of their security experts and then use tools like Google, LinkedIn, Facebook and PIPL to do research on those experts. If nothing comes up then chances are their experts aren’t experts at all.
Do I really need a Facebook page to be a security expert? There are plenty of very sharp testers out there who don't relish the lime light and don't spend their free time blogging about the little hacks they found this week. Also, many might post under pseudonyms to help separate their private research activities from work-related ones. That's not to say doing background research on their consultants isn't useful, but you can't rely on experts always showing off their stuff. tim ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Verify Your Security Provider -- The truth behind manual testing. Adriel T. Desautels (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Tim (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Adriel T. Desautels (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Tim (Jul 17)
- Message not available
- Re: Verify Your Security Provider -- The truth behind manual testing. Adriel T. Desautels (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Justin Ferguson (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Adriel T. Desautels (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Mike Messick (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Adriel T. Desautels (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Mike Messick (Jul 18)
- Re: Verify Your Security Provider -- The truth behind manual testing. Adriel T. Desautels (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Tim (Jul 17)
- Message not available
- Re: Verify Your Security Provider -- The truth behind manual testing. Adriel T. Desautels (Jul 18)