('binary' encoding is not supported, stored as-is)
Mr. Desautels,
The impression I get is that you blanket despise any automated testing? Maybe I'm wrong in that impression, but that seems like a dangerously narrow view. Are there any pen-testers who do not use any automation at all?
Further, let's say a good pen-tester does her testing manually and uses a good methodology and gives a certain deliverable. Almost certainly she will re-use that same deliverable template for another client, just like using the same methodology.
Isn't one of the points of re-using consistent methodologies so you don't have to reinvent the whole test over again the next time? It would follow that as she does more assessments, she will automate various pieces so that her time commitment lessens on those pieces, resulting in better returns or more time spent elsewhere.
Continue down this path long enough, and you have... automation, which you despise.
I'm confused...maybe we must do it the hard way? To me, that seems to be the common opinion of people who despise 'script kiddies' when in fact they may be more efficient than someone sticking to their manual tools?
I'm not saying automation should replace human pen-testers; absolutely not! But take care to include both and not just despise one because it may be below you or easy or less accurate. Your real argument is with people who accept those automated reports as religion...and I don't think you'll find any of those people on this list or in your audience. Don't shoot automated testing just because some people use only them for their checklist security.
Cheers!
<- snip ->
Never the less automated scanning doesn't produce an accurate
deliverable. That is in fact impossible. Manual testing can produce a
very accurate deliverable if its done right with the right
methodology. Hence my gripe with any security provider that offers
services whose products are the direct result of automated testing.
Received on Jan 13 2009
Intro
