Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Verify Your Security Provider -- The truth behind manual testing.

From: "Adriel T. Desautels" <ad_lists () netragard com>
Date: Fri, 17 Jul 2009 13:44:13 -0400
Tim,
        I partially agree with what you've said here, people need a way
to verify their vendor and their vendor's respective teams.  Too many
vendors claim that they do this and that, but when it comes time to work
they've got no talent to show. "All hat and no cattle" as a matter of speaking. 

        Anyway, I didn't say Only use facebook did I? Use any means
possible.  Bottom line is though, if the company has researchers, then
the company will have published advisories.  If they've done that, then
you should be able to get a good idea of their capability by doing
research on their research.

        Manual testing is research after all, and its not all created equal.
Lots of vendors who claim that they do manual testing, don't. They just
verify that a service that was reported as vulnerable by nessus, is actually up and running. If it is running then it passes their "manual test". Thats a joke 
if you ask me.

        Btw, if you comment on the blog, I might post it. :)



On Jul 17, 2009, at 1:20 PM, Tim wrote:



Hi Adriel,

I agree with the vast majority of what you're saying.  I work as an
application penetration tester, amongst other things, and the crew I
work with is very hands-on.  On numerous occasions I've performed
testing on environments that had previously been tested by other
vendors, only to find dozens of vulnerabilities that they hadn't found
because of the problems you mention with highly automated testing.

However, I take issue with this:
• Ask them for the names of their security experts and then use tools 
like Google, LinkedIn, Facebook and PIPL to do research on those
experts. If nothing comes up then chances are their experts aren’t
experts at all.


Do I really need a Facebook page to be a security expert?  There are
plenty of very sharp testers out there who don't relish the lime light
and don't spend their free time blogging about the little hacks they
found this week.  Also, many might post under pseudonyms to help
separate their private research activities from work-related ones.

That's not to say doing background research on their consultants isn't
useful, but you can't rely on experts always showing off their stuff.

tim





        Adriel T. Desautels
        ad_lists () netragard com
        --------------------------------------

        Subscribe to our blog
        http://snosoft.blogspot.com


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: