Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: My Frustrations
From: Nick Besant <lists () hwf cc>
Date: Thu, 18 Dec 2008 20:57:53 +0000

H D Moore wrote:
On Wednesday 17 December 2008, Adriel T. Desautels wrote:
I recently wrote this blog entry and wanted to get some comments from
readers of this list. I'm frustrated with the caliber of the people
that are offering security services and posing as experts, thats the
subject of the post. Please comment, insult, whatever... I'm
interested.

I agree with it for the most part - half the questions posed to this list would immediately disqualify the person as an expert, let alone a professional. The experienced folks tend to just post announcements or reply back to the former group. I would love to see this list turn back into real discussions of pen-testing challenges, but publicly asking for help on a job as reputation-centric as pen-testing carries a stigma of its own. The last thing you want a potential client to see is your lead pen-
tester asking for help on a SQL injection vulnerability.

I really don't see a way forward.

-HD


I think an important issue is that many of the people posting those questions to the list are failing to avoid the trap of performing purely subjective assessments. Pen-testing still retains some aspects of a black art to many, including clients; as tools and "for dummies" guides proliferate and such tools become easier to use, it becomes easy for those with minimal experience to put forth a seemingly convincing sales pitch. This includes established professional services organisations and consultancies as well as smaller establishments; I have seen reports from these organisations that are very much the reformatted Nessus output referred to in earlier responses. With this in mind I agree that there is no obvious way forward - unless some useful, international, easy-to-use, low-cost regulatory body were to suddenly pop into existence, perhaps.

--
Nick




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]