From: Paul Melson (pmelson@gmail.com)
Date: Thu Aug 30 2007 - 11:37:33 EDT
> Now the question, I really want to know what is your thought on where the
penetration testing market is going?
I'd say that the pen-test market as we know it today has another 5-10 years
on its feet thanks to regulations like PCI. Eventually companies will lose
interest for any number of potential reasons:
1. They figured out Internet service security and got bored with empty
reports.
2. They bought a scanner and brought it all in house. (Nessus runs on
Windows now!)
3. They get owned despite clean pen-test reports and now think it's a waste
of money.
This will leave pen-testers to fight over the emerging security QA market.
Instead of pen-testing a company's network, you'll pen-test their product.
In its early stages, this will separate the men from the boys, so to speak.
But eventually black/grey box testing tools like fuzzers and debuggers will
get slick GUI's and scripted test suites, too.
> Will the penetration tester job description will change over time because
of the evolution of automated tools?
It already has. It's a done deal. Any pen-test shop that tells you they
don't use ISS, Nessus, Rapid7, or Qualys is lying. The good shops hire good
people and write custom tools in addition to the commercial scanners. The
bad ones just overcharge for a pretty binder. Unfortunately, the bad
outnumber the good 10:1.
> Do you think it's worth the effort to train and keep people in the company
for doing pen testing? What I mean
> by this is say - an average skill penetration testing costs say 60k/year +
20k of automated tools = 80k/year
> -> can deliver quality say 70% VS - someone with highly skilled that cost
to the organization 150k whilst can
> deliver quality say 90% If at the end COMPLIANCE is still the main driving
for penetration testing.
> Should we say Quality is the 2nd priority?
Only if organizationally compliance is the first priority, which it
shouldn't be, but often is. Most companies do not benefit from having a
Dave Aitel or Dan Kaminsky on their internal staff. It makes more sense to
hire them to beat up on the new stuff and/or the important stuff and
supplement that work with cheaper scanning-tool based work done in-house.
> The reason why I asked this question is because I notice that Virus
Analyst position only available if you are
> working in the Anti-virus Vendor such as Mcafee, Symantec, etc While Big
organization usually employ Anti-
> virus administrators as opposed to Virus Analyst? I strongly believe the
reason for this is because Anti-virus
> market has matured and people are more and more relying on Anti-virus
Software. Has anti-virus software solved
> the problem? No of course, since there still many new viruses coming out
every second. I am not sure this is
> the correct analogy or not but I hope you get the point.
Actually, I think it's a pretty good analogy. AV software and vulnerability
scanners work very similarly. They look for known patterns either in
recorded data or system behavior. And there are big detection gaps in both
of these approaches that, for now at least, can only be covered by talented
hands.
PaulM
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:04 EDT