Re: Verify Your Security Provider -- The truth behind manual testing.

From: Tim <tim-pentest@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 17 Jul 2009 10:20:00 -0700

Hi Adriel,

I agree with the vast majority of what you're saying. I work as an
application penetration tester, amongst other things, and the crew I
work with is very hands-on. On numerous occasions I've performed
testing on environments that had previously been tested by other
vendors, only to find dozens of vulnerabilities that they hadn't found
because of the problems you mention with highly automated testing.

However, I take issue with this:

• Ask them for the names of their security experts and then use tools
like Google, LinkedIn, Facebook and PIPL to do research on those
experts. If nothing comes up then chances are their experts aren’t
experts at all.

Do I really need a Facebook page to be a security expert? There are
plenty of very sharp testers out there who don't relish the lime light
and don't spend their free time blogging about the little hacks they
found this week. Also, many might post under pseudonyms to help
separate their private research activities from work-related ones.

That's not to say doing background research on their consultants isn't
useful, but you can't rely on experts always showing off their stuff.

tim

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Follow-Ups:
- Re: Verify Your Security Provider -- The truth behind manual testing.
  - From: Derek Fountain
- Re: Verify Your Security Provider -- The truth behind manual testing.
  - From: Adriel T. Desautels

References:
- Verify Your Security Provider -- The truth behind manual testing.
  - From: Adriel T. Desautels

Prev by Date: Re: SQLi Vulnerability Scanners
Next by Date: Re: SQLi Vulnerability Scanners
Previous by thread: Verify Your Security Provider -- The truth behind manual testing.
Next by thread: Re: Verify Your Security Provider -- The truth behind manual testing.
Index(es):
- Date
- Thread

Relevant Pages

Re: Internal Penetration Testing
... an internal penetration tester my be ... If nobody is watching then an internal pen test is doubly pointless. ... Information Assurance Certification Review Board ...
(Pen-Test)
Commercial Exploit Tools
... I work for a DoD organization as a penetration tester. ... grab ourselves a commercial exploitation tool. ... just an opinion and the name of the tool. ... Information Assurance Certification Review Board ...
(Pen-Test)
Re: Formal audit background for the penetration tester?
... if this would be a step backward or beneficial to a penetration tester or ... someone with purely technical skills in InfoSec. ... security department in industry, some there might care... ... Information Assurance Certification Review Board ...
(Pen-Test)