[153370] in North American Network Operators' Group
Re: Penetration Test Assistance
daemon@ATHENA.MIT.EDU (Jason 'XenoPhage' Frisvold)
Tue Jun 5 14:30:07 2012
From: Jason 'XenoPhage' Frisvold <xenophage@godshell.com>
In-Reply-To: <4FCE394D.4040102@alter3d.ca>
Date: Tue, 5 Jun 2012 14:05:06 -0400
To: Peter Kristolaitis <alter3d@alter3d.ca>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jun 5, 2012, at 12:52 PM, Peter Kristolaitis <alter3d@alter3d.ca> =
wrote:
> In general, my experience with most "pen testers" is a severe =
disappointment, and isn't anything that couldn't be done in-house by =
taking the person in your department who has the most ingrained =
hacker/geek personality, giving them Nessus/Metasploit/nmap/etc, pizza =
and a big ass pot of coffee, and saying "Find stuff we don't know about. =
Go.". There is the occasional pen tester who is absolutely phenomenal =
and does the job properly (i.e. the guys who actually write their own =
shellcode, etc), but the vast majority of "pen testers" just use =
automated tools and call it a day. Like everything else in IT, security =
has been "commercialized" to the point where finding really good =
vendors/people is hard, because everyone and their mom has CEH, CISSP, =
and whatever other alphabet soup certifications you can imagine.
There are definitely a number of incredible pen-testers out there. But =
I agree with Peter=85 If you end up with a "report" that's nothing more =
than an executive statement pasted at the top of a Nessus report, then =
you've wasted your money. To be honest, I'd recommend getting a sample =
report from the company and quiz them on it before committing to a =
contract with them.
---------------------------
Jason 'XenoPhage' Frisvold
xenophage@godshell.com
---------------------------
"Any sufficiently advanced magic is indistinguishable from technology."
- Niven's Inverse of Clarke's Third Law
