Penetration Testing: Re: My Frustrations

["Adriel T. Desautels" <ad_lists () netragard com>]

Alex,
	Nice post, I enjoyed reading that.  I agree with you that people  
should come to the list and as questions, that is after all how we all  
learned. When someone comes to this list and tells us that he's  
already started a penetration and needs some direction with a problem,  
that is perfectly fine. But when the direction that he is requesting  
is elementary in nature and is something like "how do I run this  
exploit" or "how can I use XSS" or "Why is SQL Injection risky", that  
makes me cringe.
	The real issue is that in this industry the cream doesn't float to  
the top without a fight. Thats because there are very few people who  
are not experts that can tell the difference between who is an expert  
and who isn't.  As a result customers purchase services from people  
thinking that they are experts, when they aren't. The get that fake  
kit-car ferrari but pay for the real thing. Or maybe they get the fake  
ferrari and pay less but think that they are getting the real thing.
	Just as an FYI, my motivation for shedding light on this subject is  
to protect people.  When you purchase security services and you're not  
an expert, you expect to feel secure and safe after everything is said  
and done.  If the people offering the services don't know what they  
are doing then what they are really selling you is a false sense of  
security. In my opinion thats almost criminal.

On Dec 18, 2008, at 10:31 AM, Alex Moen wrote:

> Adriel,
>
> I am, by no means whatsoever, an experienced, professional, or even  
> focused pentester, but rather an experienced, profesional, focused  
> network administrator that is very interested in pen testing for my  
> own knowledge and security of my systems.  I would expect some  
> questions like the ones that you are discussing to come from someone  
> like me...  :)
> However, I do agree with you that someone calling themselves a  
> security professional or pentester, and charging for their services,  
> should not be asking "basic" or low-level questions, especially on a  
> public forum such as this.  I would think that there would be a  
> level of pride or whatever that would prevent that to a degree,  
> however, I have always lived by the idea that there is nothing wrong  
> with asking questions, nor are there any stupid questions.  At least  
> the professional that is asking questions is trying to improve  
> himself in this regard, and is probably sensitive to his  
> limitations... The people that really get to me are the ones who do  
> not ask any questions and are secure that they know everything and  
> that they are always right, even when I can prove them wrong.  I  
> sometimes ask some pretty silly questions in respect to my job,  
> although they don't always seem silly at the time of the asking and  
> earn a heel-of-the-palm-to-the-forehead from myself in retrospect.
> This is not a problem isolated to the security professional world,  
> however.  It is, afaik, in *every* profession.  Our company does web  
> and e-mail hosting, PC repair, and network services as well as ISP  
> services, and we have competition in all of those arenas.  Some of  
> the competitors are competent professionals, others are fly-by-night  
> half-wits that talk themselves into the graces of the customers.   
> Those customers eventually get burned and come back to us.  It is  
> really up to the customer to determine whom to trust and not to  
> trust, and to do background checks and get information and referrals  
> about the companies that they are doing business with, and if they  
> get burned it is no one's fault but their own.  Also, it may be a  
> company trying to save a few bucks by hiring the cheapest workforce  
> that they can, rather than the best.  For whatever reason, tho, the  
> poor performers never seem to go out of business and keep rearing  
> their ugly heads and leaving messes for the rest of us to clean up...
> Anyway, that's my 2 cents on the whole issue.  Hopefully my opinion  
> doesn't earn a bunch of flames.  Just keep doing the best job that  
> you can, and remember that the cream always flows to the top.
> Alex
>
>
>
> Adriel T. Desautels wrote:
> > I recently wrote this blog entry and wanted to get some comments  
> > from readers of this list. I'm frustrated with the caliber of the  
> > people that are offering security services and posing as experts,  
> > thats the subject of the post. Please comment, insult, whatever...  
> > I'm interested.
> > http://snosoft.blogspot.com/
> > Adriel T. Desautels
> > ad_lists () netragard com
> > ------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> > Security Trends Report from Cenzic
> > Stay Ahead of the Hacker Curve!
> > Get the latest Q2 2008 Trends Report now
> > www.cenzic.com/landing/trends-report
> > ------------------------------------------------------------------------
Adriel T. Desautels
ad_lists () netragard com




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------