Home page logo

pen-test logo Penetration Testing mailing list archives

Re: My Frustrations
From: "Jamie Riden" <jamie.riden () gmail com>
Date: Thu, 18 Dec 2008 11:44:58 +0000

2008/12/17 Adriel T. Desautels <ad_lists () netragard com>:
I recently wrote this blog entry and wanted to get some comments from
readers of this list. I'm frustrated with the caliber of the people that are
offering security services and posing as experts, thats the subject of the
post. Please comment, insult, whatever... I'm interested.


No, I agree. I would say there's no shame in not knowing a particular
area - we can't all be experts on everything. However, it is really
important to let the client know that it's not your area of expertise
and IMHO the ethical thing to do is recommend someone who is an expert
in that area.

Again, we don't all need to be Dave Aitel - the important thing about
pen-test for me is finding holes and fixing them. If you don't have
the technical knowledge to exploit them, that's less of an issue than
not being able to find the holes in the first place. And if you don't
know how dangerous a problem is, it's best to assume that it's
dangerous until you've proved otherwise.

However, just running an automated tool such as nessus/nmap/whatever
and dumping the results into a report is not nearly good enough - yes,
I have seen this in a commercial pen-test report. Ugh.

Jamie Riden / jamesr () europe com / jamie () honeynet org uk

This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]