Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Core Impact Vs Manual Pen Test
From: "Rick Zhong" <sagiko () gmail com>
Date: Wed, 6 Sep 2006 09:52:01 +0800

Based on my experience as Pen Tester, the hybrid approach is really
the best way so far especially in projects which have very tight
timeframe and limited budget. The typical way procedure usually
covers:
--- Manual analysis of targets to determine what are the best tools to
use and how to use the tools (including the configuration and
customization)
--- then we will use the tools such as Core Impact, Appscan(web
application pt tools) to get a base line results
--- Manual efforts are again needed for analysis of results and
further exploration

Tools do not understand the business logic and process behind, but
they are good in terms of doing repeated testing and give a better
coverage, provided you have an experience Pen Test.

Some interesting  calculation:

QR= QP*10 + QT * QP
where:
Quality of Pentester (QP) :  1 to 10 (10 is the best)
Quality of Tools (QP) : 1 to 10 (10 is the best)
Quality of PT Result(QR): 1 to 200 (200 is the best)

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]