Re: Cross testing exploit with vulnerability scan results

From: jussi jaakonaho (jussi@mataaratanga.com)
Date: Sun Jul 29 2007 - 06:15:51 EDT


On 7/29/07, Anders Thulin <anders.thulin@sentor.se> wrote:
> (This is why computer penetration testing ultimately is a dead end.
> Security can't rely on penetration testing for anything but reports
> of bad security.)

-yup.
pentests can tell client only like "your security sucks or we are
unsure" if used for assurance on security. it can used for eyeopener
(if those still are needed). testing insicent&response processes,
monitoring function etc.
the "sucks" part is due to being able to getting in and deleting all
things from db, the "we are unsure" part is when you have all claims
that during this timeframe, with available information, exploits,
skills etc etc.

_jussi

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:59 EDT