Re: Research on penetration testing?

From: Pete Finnigan (plsql@petefinnigan.com)
Date: Wed Dec 15 2004 - 12:41:02 EST

• Next message: Guillaume Lavoix: "pwdump 2 & 3"
• Previous message: Todd Towles: "RE: Class on Security Tools"
• In reply to: Gareth Davies: "Re: Research on penetration testing?"
• Next in thread: leonardo: "Re: Research on penetration testing?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

>I would agree with this if you wish to follow a less technical line.
>
>The ROSI problem (Return on Security Investment).
>
>How to sell penetration testing and vulnerability assessment, cost
>savings and so on.
Hi,

I would agree with this idea. When I read this my thoughts went
immediately to the book "Optimizing Oracle performance" written by Cary
Millsap and Jeff Holt - Published by O'Reilly. This book, quite
obviously by the title is about tuning Oracle and not about penetration
testing - bear with me..:-)

The book describes the new (ish) method of using the Oracle wait
interface (instrumentation in the Oracle kernel) for tuning. But the big
idea in the book is that fact that using this method the tuning effort
is repeatable and calculable in advance in terms of effort and cost
benefits.

Cary and Jeff describe how its possible to analyse the issue and then
identify the key business processes that are a problem and finally also
identify the time saving that is possible with solutions (This is
possible because what they are doing is analysing lost time in the
processing of data - so that time is highlighted in detailed steps in
the kernel source) and hence the cost benefit to the organisation.

This is mind blowing when you consider previous efforts were based on
trial and error. e.g. change this parameter and see if the program is
faster... no... now change it back and then try another parameter
instead... and so on.... with "method R" as described by the authors the
tuning effort is acutely focused based on cost benefit to the business
and the cost benefits of the possible solutions are known.

Now if this breakthrough in tuning could be applied to penetration
testing then the cost benefits for customers would be great. I would say
also that anyone who could offer this service would be in a commanding
position. Managers like to see costs and benefits..:-)

It is like the difference between alchemy and science.

Whether its possible to apply these ideas to penetration testing or not
is difficult to know. Also I feel the solution would probably be
technical as well as business related. In the Oracle book, the authors
have developed perl scripts to apply the ideas and also utilize queuing
theory in the solutions. I think ideas along this line would make a
great project.

Hope this helps

Kind regards

Pete

-- 
Pete Finnigan (email:pete@petefinnigan.com)
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.

• Next message: Guillaume Lavoix: "pwdump 2 & 3"
• Previous message: Todd Towles: "RE: Class on Security Tools"
• In reply to: Gareth Davies: "Re: Research on penetration testing?"
• Next in thread: leonardo: "Re: Research on penetration testing?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:11 EDT