Penetration Testing mailing list archives
Re: Verify Your Security Provider -- The truth behind manual testing.
From: "Adriel T. Desautels" <ad_lists () netragard com>
Date: Fri, 17 Jul 2009 13:44:13 -0400
Tim, I partially agree with what you've said here, people need a way to verify their vendor and their vendor's respective teams. Too many vendors claim that they do this and that, but when it comes time to workthey've got no talent to show. "All hat and no cattle" as a matter of speaking.
Anyway, I didn't say Only use facebook did I? Use any means possible. Bottom line is though, if the company has researchers, then the company will have published advisories. If they've done that, then you should be able to get a good idea of their capability by doing research on their research. Manual testing is research after all, and its not all created equal. Lots of vendors who claim that they do manual testing, don't. They justverify that a service that was reported as vulnerable by nessus, is actually up and running. If it is running then it passes their "manual test". Thats a joke
if you ask me. Btw, if you comment on the blog, I might post it. :) On Jul 17, 2009, at 1:20 PM, Tim wrote:
Hi Adriel, I agree with the vast majority of what you're saying. I work as an application penetration tester, amongst other things, and the crew I work with is very hands-on. On numerous occasions I've performed testing on environments that had previously been tested by other vendors, only to find dozens of vulnerabilities that they hadn't found because of the problems you mention with highly automated testing. However, I take issue with this:• Ask them for the names of their security experts and then use toolslike Google, LinkedIn, Facebook and PIPL to do research on those experts. If nothing comes up then chances are their experts aren’t experts at all.Do I really need a Facebook page to be a security expert? There are plenty of very sharp testers out there who don't relish the lime light and don't spend their free time blogging about the little hacks they found this week. Also, many might post under pseudonyms to help separate their private research activities from work-related ones. That's not to say doing background research on their consultants isn't useful, but you can't rely on experts always showing off their stuff. tim
Adriel T. Desautels ad_lists () netragard com -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Verify Your Security Provider -- The truth behind manual testing. Adriel T. Desautels (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Tim (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Adriel T. Desautels (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Tim (Jul 17)
- Message not available
- Re: Verify Your Security Provider -- The truth behind manual testing. Adriel T. Desautels (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Justin Ferguson (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Adriel T. Desautels (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Mike Messick (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Adriel T. Desautels (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Mike Messick (Jul 18)
- Re: Verify Your Security Provider -- The truth behind manual testing. Adriel T. Desautels (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Tim (Jul 17)
- Message not available
- Re: Verify Your Security Provider -- The truth behind manual testing. Adriel T. Desautels (Jul 18)