From: David Jacoby (security@outpost24.com)
Date: Thu Aug 30 2007 - 06:36:05 EDT
IRM wrote:
> Now the question, I really want to know what is your thought on where the
> penetration testing market is going? Will the penetration tester job
> description will change over time because of the evolution of automated
> tools?
I think the automated vulnerability scanning market is going to grow
alot, it is the most cost effective way to determine if you are
vulnerable against common known vulnerabilities. It is not used to
eliminate att vulnerability, but as a verification tool. By using
these automated tools it also helps the user(s) to manager their
security issues. I dont see it as a replacement to a manual
penetration test, but i actually see manual penetration tests to be a
compliment to automated vulnerability scanning.
> Do you think it's worth the effort to train and keep people in the company
> for doing pen testing? What I mean by this is say
> - an average skill penetration testing costs say 60k/year + 20k of automated
> tools = 80k/year -> can deliver quality say 70%
> VS
> - someone with highly skilled that cost to the organization 150k whilst can
> deliver quality say 90%
> If at the end COMPLIANCE is still the main driving for penetration testing.
> Should we say Quality is the 2nd priority?
First of all i think its strange that you "teach" people to do
penetration test. People who do it should do it because they love
doing it, i personally look at is as a art form. Everyone can use
tools such as CORE Impact, Nessus or backtrack but not everyone can be
a good penetration tester.
When people as us at Outpost24 about this we often say that automated
vulnerability scanning is not a replacement for manual penetration
tests. A manual penetration test is maybe performed 2 or at max 4
times in a year at a company, they will hopefully find almost all the
vulnerabilities and report them back to the client, the problem is
that the day after they leave new vulnerabilities are released and may
result in that the company that just spent 60k have one of their
machines compromised they day after the pentest team reported their
findings.
Automated vulnerability scanning should be used on a weekly basis to
reduce the risk of getting attacked by new vulnerabilities and as a
compliment to automated tools a pentest team should come in and do a
more deep test and maybe also verify the findings from the automated
tool. It is also important to understand that a manual pentest team
may find vulnerabilities which has not been found yet, especially if a
client may use home brew inhouse applications.
> The reason why I asked this question is because I notice that Virus Analyst
> position only available if you are working in the Anti-virus Vendor such as
> Mcafee, Symantec, etc While Big organization usually employ Anti-virus
> administrators as opposed to Virus Analyst? I strongly believe the reason
> for this is because Anti-virus market has matured and people are more and
> more relying on Anti-virus Software. Has anti-virus software solved the
> problem? No of course, since there still many new viruses coming out every
> second. I am not sure this is the correct analogy or not but I hope you get
> the point.
Anti viruses are almost not needed today, most viruses are spread via
known vulnerabilities and not via floppy discs etc as it used to be.
Another big problem is that people are starting to find
vulnerabilities in so called "security software" that is installed to
prevent attackers but actually does the opposit, they increase the
attack surface.
Best regards,
David Jacoby
-- David Jacoby Vice President Customer Experience http://www.outpost24.com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:04 EDT