Re: Verify Your Security Provider -- The truth behind manual testing.

[Aarón Mizrachi <unmanarc () gmail com>]

On Sábado 18 Julio 2009 04:58:59 Justin Ferguson escribió:
> > I'm a pentester, but i have to say that pentest is only the first stage
> > when you show the impact and risk of an attack to justify a more
> > extensive and white box based security plan.
>
> I'm curious as to your reasoning for not just skipping the foreplay
> assessment and selling the customer what they apparently needed in the
> first place (whitebox review), and to consider the ethical
> implications of charging your customer X thousand dollars for a
> service which is just the precursor to the service they needed/youre
> going to recommend at the end.


> Sans DRM, anti-debugging/disasm, et cetera related engagements, why
> would a blackbox assessment ever be better for improving the security
> of a client?


Good point!. I agree with you!.

I'll talk only about my experience.  I worked for many projects which involves 
many stages of the auditory process (forensic, pentesting, and even iso 27k1 
complete audit)... And i have to say that companies doesn't like to put money 
on security. Many times it happens when they have an incident... Reactive 
security. (Even in companies with IT Security Department...)

This was only the introduction to my point. Not the reason to offer pentesting. 

Reasons:

1- Since most of the companies doesn't like to invest in security because they 
don't love/trust the Return of Investment (ROI) of security. They are putting 
their trust in a new advanced firewall that comes in a box...  remember: its a 
box, they have a feeling of security on a material thing, and they can blame 
the box when gets hacked. They can not blame the audit when they gets hacked, 
because we work for statistics.

I know, this is a pirate behavior and it should be different in our times, but 
is not different, therefore, you ask him for a pentest to open their eyes and 
show how vulnerable they are. 

Pentesting cost are peanuts compared to a full auditory process and they 
usually prefer to confirm that they are vulnerable before they open a costly 
budget on security (we offered the both at the same time, and the companies 
prefer to do pentesting 9/10 times).

pentesting in conjunction with other studies can also be used to estimate the 
risk impact and how much budget is justified to spend on a more extended 
auditory.

2- The other justification to pentest is when the customer really don't have an 
extensive budget to spend in security. Therefore, a very good pentest could 
cover the most of the vulnerabilities with a lesser budget. (Better rather 
than none).


-- 
Ing. Aaron G. Mizrachi P.    

http://www.unmanarc.com
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503
BBPIN: 0x 247066C1

Attachment: signature.asc
Description: This is a digitally signed message part.