From: Nikos Tsagarakis (n.tsagarakis@innova-sa.gr)
Date: Fri Aug 31 2007 - 04:41:55 EDT
Paul Melson wrote:
>> Now the question, I really want to know what is your thought on where the
>>
> penetration testing market is going?
>
> I'd say that the pen-test market as we know it today has another 5-10 years
> on its feet thanks to regulations like PCI. Eventually companies will lose
> interest for any number of potential reasons:
>
> 1. They figured out Internet service security and got bored with empty
> reports.
> 2. They bought a scanner and brought it all in house. (Nessus runs on
> Windows now!)
> 3. They get owned despite clean pen-test reports and now think it's a waste
> of money.
>
>
I do not believe that penetration testing is a waste of money. My
approach is
that we perform penetration testing to find the riskiest attack path
that a malicious user
should follow...
As for the previous post "what we are selling? with penetration
testing".... we offer to the
client's organization the oportunity to test their system's security
against an attack that is
similar to a really malicious offender. To do this you need to exploit
vulnerabilities.. to exploit
vulnerabilities you need skilled persons to do the job who cost alot...
this is why the market may require an approach of the vulnerability
assesment closer to penetration testing (done by automated tools) which
is cheaper.
So the deduction of the above is that pen-test probably will never die
and will probably not be replaced by automated tools.
> This will leave pen-testers to fight over the emerging security QA market.
> Instead of pen-testing a company's network, you'll pen-test their product.
> In its early stages, this will separate the men from the boys, so to speak.
> But eventually black/grey box testing tools like fuzzers and debuggers will
> get slick GUI's and scripted test suites, too.
>
>
>> Will the penetration tester job description will change over time because
>>
> of the evolution of automated tools?
>
> It already has. It's a done deal. Any pen-test shop that tells you they
> don't use ISS, Nessus, Rapid7, or Qualys is lying. The good shops hire good
> people and write custom tools in addition to the commercial scanners. The
> bad ones just overcharge for a pretty binder. Unfortunately, the bad
> outnumber the good 10:1.
>
>
>> Do you think it's worth the effort to train and keep people in the company
>>
> for doing pen testing? What I mean
>
>> by this is say - an average skill penetration testing costs say 60k/year +
>>
> 20k of automated tools = 80k/year
>
>> -> can deliver quality say 70% VS - someone with highly skilled that cost
>>
> to the organization 150k whilst can
>
>> deliver quality say 90% If at the end COMPLIANCE is still the main driving
>>
> for penetration testing.
>
>> Should we say Quality is the 2nd priority?
>>
>
> Only if organizationally compliance is the first priority, which it
> shouldn't be, but often is. Most companies do not benefit from having a
> Dave Aitel or Dan Kaminsky on their internal staff. It makes more sense to
> hire them to beat up on the new stuff and/or the important stuff and
> supplement that work with cheaper scanning-tool based work done in-house.
>
>
>> The reason why I asked this question is because I notice that Virus
>>
> Analyst position only available if you are
>
>> working in the Anti-virus Vendor such as Mcafee, Symantec, etc While Big
>>
> organization usually employ Anti-
>
>> virus administrators as opposed to Virus Analyst? I strongly believe the
>>
> reason for this is because Anti-virus
>
>> market has matured and people are more and more relying on Anti-virus
>>
> Software. Has anti-virus software solved
>
>> the problem? No of course, since there still many new viruses coming out
>>
> every second. I am not sure this is
>
>> the correct analogy or not but I hope you get the point.
>>
>
> Actually, I think it's a pretty good analogy. AV software and vulnerability
> scanners work very similarly. They look for known patterns either in
> recorded data or system behavior. And there are big detection gaps in both
> of these approaches that, for now at least, can only be covered by talented
> hands.
>
>
How an automated tool can predict all the probable combinations of
attacks that a
skilled penetration tester will choose to perform ( i have already use
CORE Impact....).
> PaulM
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
-- --------------------------------------------- Nikos Tsagarakis Technical Information Security Consultant INNOVA S.A. http://www.innova-sa.gr --------------------------------------------- ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:05 EDT