From: crazy frog crazy frog (i.m.crazy.frog@gmail.com)
Date: Sun Sep 02 2007 - 08:55:56 EDT
Comments inline....
> Most of you would be agreed that penetration testing market has became
> commodity. Moreover as a penetration tester, I agree that automated
> penetration testing tools like Core IMPACT, etc can never replace us as we
> still need to verify all the findings and identify false positive. Nothing
> wrong with those automated tools, I think really it's a great tool!
Everyone require some kind of tools to automate the task. Obiviously
if you have a large network you are not going to manually check every
port,service by your self.For that you need such tools.But these tools
alone can not do the work you need qualified person who understand the
results and then move forward with his own.
> A decent penetration tester would typically have a broad range of IT skills
> from Operating System, Network to Programming. I also need to mention that
> these broad range of skills are not something that you could gain by working
> for 2-3 years, I believe that a good penetration tester could gain these
> broad ranges of skill in at least 5 years? Maybe more or less depending the
> person I guess. So I would expect for a company to hire these kind of
> penetration testers they need to spend a little bit of cash for their wages.
> To sum up, I think a penetration tester or ethical hacker has highly
> technical skills.
Yes skills are required.But it depends on the person to person .Every
one grow with the time.
> At the end of the day, Business is business. Who cares if you possess highly
> technical skills? The business and its people especially the C-executive
> level are only interested
> Whether your highly technical skill can bring more revenue or money to them?
> Right?
NO!!Don't think so.Up to a point you can impress client with your
words after that you need to prove your self.Your work.if you don't do
good work it will work first time Next time dont expect that client to
give you another contract.
> It is interesting that the top major reason why business now days
> considering pen testing on its agenda is because of compliance and as part
> of risk management agenda rather than security wise they need it or fear of
> someone can break in. So I strongly believe COMPLIANCE is still the main
> reason for any vulnerability testing activities in the company.
Compliance is one of the primary reason but it is not the alone.There
are many more.If someone outsourcing his work then data security is
the primary concern for him.
> Now the question, I really want to know what is your thought on where the
> penetration testing market is going? Will the penetration tester job
> description will change over time because of the evolution of automated
> tools?
So far it looks good for next few years.We can not say its in mature
state like antivirus. There is no universally accepted standards.You
can say that it is just starting up to take the pace.
HTH--
---------------------------------------
there is a contest on secgeeks:
http://secgeeks.com/announcing_secgeeks_contest.html
register here:-
http://secgeeks.com/user/register
rss feeds :-
http://secgeeks.com/node/feed
http://www.newskicks.com
Submit and kick for new stories from all around the world.
---------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:05 EDT