From: Joseph McCray (joe@learnsecurityonline.com)
Date: Sun Sep 30 2007 - 15:52:52 EDT
Hey guys I'm doing some research for a few upcoming projects and I'd
like to solicit the opinions of Security Professionals that perform
penetration tests as their primary job function. I'm hoping to interview
at least 100 pentesters. The survey is about 20 questions...You don't
need to post your answers back to the list, you can send them to me
directly. If you know other people that are willing to fill this out
feel free to ask them to do it as well. I'll share the results of the
survey with anyone that actively participates.
Thanks in advance....
Subject: State of Penetration Testing Survey
1. Do you think you can no longer realistically PenTest without a
framework anymore (i.e. Metasploit, Core Impact, Canvas, Saint, Web
Inspect, blah blah blah)?
2. Client side exploits have officially taken over. Do you think when
sorting exploits from now on an auditor would probably be better suited
to sort his exploits by attack vector (i.e. email, browser) regardless
of what the exploit attacks whether it's common workstation apps like
winzip, winrar, winamp, yahoo messenger or whether it's common server
based apps like 3rd party DNS Servers, Web Servers, FTP Servers, TFTP
Servers, etc?
3. Do you think the migration of the attack vector landscape from the
network, to the OS, to server applications, to now client-side
applications is making targeted attacks more or less difficult for
attackers, and why?
4. How has the emphasis on Web Application Security over the last few
years changed your approach to penetration testing?
5. When performing Web Application Security Testing do you find that the
remediations are somewhat more difficult for the customers to implement
because the solution may involve source code modification instead a
vendor patch that needs to be applied?
6. Are you currently auditing VoIP and Web Services in your penetration
tests?
7. Do you think VoIP and Web Services are the next frontier in
penetration testing?
8. Do you think vulnerability classification needs to be revamped can
you still classify vulnerabilities by High, Medium, and Low now that the
primary attack vectors are email/browser based, and Web App?
9. Do you think it's difficult to hire competent penetration testers
because of the constantly increasing complexity of today's networks,
applications, required travel, and security clearances that may be
required in some areas? If so what is the difficulty with regard to
hiring pentesters that you experience the most?
10. Do you think the skill-level of today's penetration testers has
increased or decreased over the years? Give an example to illustrate
your opinion.
11. Do you or other pentesters on your team periodically modify public
exploits as part of your assessments? If so what are the common
circumstances that you do under?
12. Do you or other pentesters on your team periodically Proof of
Concept exploits as part of your assessments? If so what are the common
circumstances that you do under?
13. Do you think today's IT customer is more security savvy than in
previous years, and if so how has it affected your actual deliverable
that give the customer at the completion of the assessments you
perform?
14. Do you think vulnerability assessment tools, and automated
penetration test frameworks are pushing pentesters out of the market?
15. Do you or members of your team perform source code auditing as part
of your security offering?
16. Do you have customers that are willing to hire you/your company to
ensure security is implemented throughout the entire SDLC of an
application they plan to develop? Or do you find companies more apt to
request you audit the application when it is near completion because of
regulatory compliance?
Pentesting Background Questions:
1. What area of the IT Field were you in prior to pentesting?
2. How long have you been pentesting?
3. Do you have a development background? If so what languages?
4 Do you perform military/gov pentests for a government contactor?
5. Do you pentest as part of an IT or IT Security Consultancy?
6. What country are in?
================================================================================
Thanks so much for filling out this survey. I really appreciate it.
--
Joe McCray
Toll Free: 1-866-892-2132
Email: joe@learnsecurityonline.com
Web: https://www.learnsecurityonline.com
Learn Security Online, Inc.
* Security Games * Simulators
* Challenge Servers * Courses
* Hacking Competitions * Hacklab Access
"The only thing worse than training good employees and losing them
is NOT training your employees and keeping them."
- Zig Ziglar
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:08 EDT