Penetration Testing mailing list archives
Re: Verify Your Security Provider -- The truth behind manual testing.
From: Aarón Mizrachi <unmanarc () gmail com>
Date: Sat, 18 Jul 2009 13:22:34 -0430
On Sábado 18 Julio 2009 04:58:59 Justin Ferguson escribió:
I'm a pentester, but i have to say that pentest is only the first stage when you show the impact and risk of an attack to justify a more extensive and white box based security plan.I'm curious as to your reasoning for not just skipping the foreplay assessment and selling the customer what they apparently needed in the first place (whitebox review), and to consider the ethical implications of charging your customer X thousand dollars for a service which is just the precursor to the service they needed/youre going to recommend at the end.
Sans DRM, anti-debugging/disasm, et cetera related engagements, why would a blackbox assessment ever be better for improving the security of a client?
Good point!. I agree with you!. I'll talk only about my experience. I worked for many projects which involves many stages of the auditory process (forensic, pentesting, and even iso 27k1 complete audit)... And i have to say that companies doesn't like to put money on security. Many times it happens when they have an incident... Reactive security. (Even in companies with IT Security Department...) This was only the introduction to my point. Not the reason to offer pentesting. Reasons: 1- Since most of the companies doesn't like to invest in security because they don't love/trust the Return of Investment (ROI) of security. They are putting their trust in a new advanced firewall that comes in a box... remember: its a box, they have a feeling of security on a material thing, and they can blame the box when gets hacked. They can not blame the audit when they gets hacked, because we work for statistics. I know, this is a pirate behavior and it should be different in our times, but is not different, therefore, you ask him for a pentest to open their eyes and show how vulnerable they are. Pentesting cost are peanuts compared to a full auditory process and they usually prefer to confirm that they are vulnerable before they open a costly budget on security (we offered the both at the same time, and the companies prefer to do pentesting 9/10 times). pentesting in conjunction with other studies can also be used to estimate the risk impact and how much budget is justified to spend on a more extended auditory. 2- The other justification to pentest is when the customer really don't have an extensive budget to spend in security. Therefore, a very good pentest could cover the most of the vulnerabilities with a lesser budget. (Better rather than none). -- Ing. Aaron G. Mizrachi P. http://www.unmanarc.com Mobil 1: + 58 416-6143543 Mobil 2: + 58 424-2412503 BBPIN: 0x 247066C1
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- Re: Verify Your Security Provider -- The truth behind manual testing., (continued)
- Re: Verify Your Security Provider -- The truth behind manual testing. Mike Messick (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Adriel T. Desautels (Jul 17)
- Re: Verify Your Security Provider -- The truth behind manual testing. Mike Messick (Jul 18)
- Message not available
- Re: Verify Your Security Provider -- The truth behind manual testing. Adriel T. Desautels (Jul 18)
- Re: Verify Your Security Provider -- The truth behind manual testing. Adriel T. Desautels (Jul 17)
- RE: Verify Your Security Provider -- The truth behind manual testing. Geoff Galitz (Jul 18)
- Re: Verify Your Security Provider -- The truth behind manual testing. Justin Ferguson (Jul 18)
- Re: Verify Your Security Provider -- The truth behind manual testing. Aarón Mizrachi (Jul 19)
- Re: Verify Your Security Provider -- The truth behind manual testing. Adriel T. Desautels (Jul 22)