mailing list archives
Re: Defending the honor of...penetration testing tools
From: Anton Chuvakin <anton () chuvakin org>
Date: Wed, 13 Feb 2013 05:54:38 +0400
On Tue, Feb 12, 2013 at 9:50 PM, Dave Aitel <dave () immunityinc com> wrote:
So as you can see below, I'll be at RSA asking Andrew Jaquith why on
earth he thinks penetration testing tools are evil. To be honest, I have no
idea. Does that also imply penetration testing is evil, or is he saying
that penetration testing tools make people lazy and therefor you get better
penetration tests without them, in which case I'll try to get him to write
his future papers without a keyboard or something.
Well, I can't say why he thinks they are evil, but I often thought that
their NAME is. Often, when I hear people say "penetration testing tools"
they *automatically* assume that "running that tool == penetration test."
After all, "X tool" in many minds means "tools that does X." Penetration
tools, last time I checked, don't DO penetration testing. Humans do. You
can insert all the jokes about stupid people and all, but this sentiment is
very, very contagious.
Therefore I often avoided naming them in my work and instead used
some kludge like "exploitation tools", or (please don't laugh) "tools
[somewhat] helpful during penetration testing."
Dr. Anton Chuvakin
Dailydave mailing list
Dailydave () lists immunityinc com