Re: Penetration Testing Services

[BMF <badmotherfsckr () gmail com>]

On Mon, Aug 2, 2010 at 4:18 AM, cribbar
> Penetration Testing Community - I am interested in getting an expert response
> to a discussion that keeps raising up in our company.

Then I suggest paying a reputable pen-test company for their expert
opinion. All you are likely to get here are half-assed amature replies
such as this one.

> I’ve spent a couple of hours on the Nessus website looking at the types of
> “vulnerability” it will catch, and it seems to cover a whole array of topics
> and security issues. This leads to the inevitable comment from senior

Be sure to test any accessible webapps as well. Nessus alone won't
catch the most likely ways in if you expose any web apps.

> management, if we have an IT Security section who are using the most common
> vulnerability scanning / penetration testing tools –what is the point in
> investing significant $$$ in buying in a 3rd party to do exactly the same?

Hopefully, that third party knows how to read the results of their
tools (many don't and just take the long list of stuff Nessus et al
spits out as gospel), may use multiple tools, and may be able to probe
your webapps and other things that Nessus doesn't touch.

> I fully appreciate that penetration testing is an area of high skill, as a
> 3rd party you provide an independent neutral security review, it takes years
> to master the topic, and once mastered you need to stay up to date with all

I think penetration testing is way overrated anyway. There is no way
to prove that you have found and fixed all of the external
vulnerabilities. If the attackers are smarter or more up to date than
your pen-test (which these days is likely) you are still hosed.

> • How do you as penetration testers, portray the importance of this
> independent check to future potential clients? Is this independence really
> that important?

Pen-testers want to sell their services. So they portray pen-testing
as very important. And never point out that the attacker is likely
smarter than the pen-tester because that is bad for bidness.

> • What broadly speaking do you as professional penetration testers bring
> additional to a nessus scan during the services you provide?

Most pen-testers don't add much more than that aside from copious
amounts of ego and claims of l33tness. Good ones do but are hard to
find. They may have custom tools and will be able to probe your web
apps etc.

 If there are
> categories of security issues/vulnerabilities that you can flag up doing one
> of your penetration tests that Nessus wont - that would be incredibly useful
> to know, and I’d love to be able to identify the limitations of Nessus scans
> but I am a bit out of my depth to be able to do so.

Web apps.

> that’s the report they use. This to me sounds a complete rip off, and I
> can’t see the benefit. So where is the added benefit in having an internal
> security guy run nessus, and paying a 3rd party pen tester x amount of $$$
> money to do exactly the same? Why not just stick with the internal guy? Or

If that is all they do then it is a complete rip-off. Quiz them well,
ask for what tools they use, make them prove everything they claim.

> am I missing something? I really would appreciate real examples of whereby
> just running Nessus is simply not enough as it wont catch a, b and c!

Web apps.

BMF

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------