[Dailydave] "The organization I belong to doesn't have initals"(that evil dude in Heroes)
Steve Manzuik
smanzuik at juniper.net
Mon Nov 13 22:25:56 Local tim 2006
> That's a misleading way to frame the conversation, don't you
> think? A pen-test isn't supposed to answer the yes/no
> question, "Can you be hacked?"
> It's supposed to ask the open-ended questions, "How can you
> be hacked?" and
> "How can you fix it?"
Absolutely, but that was my entire point. If you don't have the
infrastructure in place the answer to "how can I be hacked?" is a rather
long one that makes the "how can I fix it?" answer quite long as well.
Long answers to anything when executives are involved are counter
productive.
Also, when you have a network that is so poorly built/secured it is easy
for even a good pen-test team to get distracted with some of the low
hanging fruit issues and miss some of the more important but "harder"
ones.
> Yes! Why spend energy finding new bugs when you're in no
> position to fix the ones you already know about? It's very
> much putting the cart before the horse.
Yup, and that is what I was trying to get at with my original, but badly
made point. ;-)
> Except that companies do 3rd-party pen-tests for reasons
> other than security, like compliance. Also, differentiating
> between the work done by Immunity and, say, Qualys* is a
> customer education issue. Oh, and don't forget the almighty
> dollar - because that's an easy way to tell Immunity and
> Qualys apart that doesn't hurt Qualys' business one bit.
But that isn't a pen-test. That is a vulnerability assessment. These
are two very different things.
Vulnerability Assessment = Using a tool to scan for known
vulnerabilities and weakness.
Pen-test = Using tools and skill to pop holes in boxes using known and
unknown vulnerabilities and weakness.
Don't take that the wrong way, I am in no way beating up on Vuln
Assessments. They have their worth as well but they are geared more
towards the compliance issues than a real pen-test is. In fact if you
are doing a pen-test to get past a compliance issue you are probably
opening a can of worms that you really don't want to.
More information about the Dailydave
mailing list