| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue Sep 27 18:05:42 2005 From: dotsecure at gmail.com (Martin Mkrtchian) Subject: CORE-Impact license bypass I think automated tools should be used for penentration testing when it is possible. Why should the penetration tester use manual means and waste time? After all your average script kiddie will be using CORE like applications such as Metasploit to exploit a system. I do understand that for the techies out there automated tool is not a respectable way to do pen testing because it does not show your true skills, but bottom line is business doesnt care if you use manual or automated tools, what business cares about is for you to take all the possible appraoch to hack proof a system. Just because you are running automated tool doesnt mean you do not have the expertise. In fact tool may do the job, but it is security analyst's responsibility to analyze and develop high level and technical plan in how to remediate the issue. So therefore it is my personal opinion that automated tools save time from analysts perspective and money from business perspective. Thanks -- Martin Visit my security blog: http://dotsecure.blogspot.com On 9/27/05, Bernhard Mueller <research@...-consult.com> wrote: > Exibar wrote: > > I didn't mean to imply that the consultants create their own exploits, > > not many I know could even begin to do that, only a couple are talented > > enough to do just that. Even for those very few, it's just not feasable > > from a time perspective. Much quick and cost effective to use what's out > > there. > > > > so what use is a pentest if the consultant isn't even talented enough to > find / create exploits for unknown vulnerabilities? > any average admin can install and run an automatic security scanner. > furthermore, a common nessus report contains 99% useless garbage. and > most of the time, you can not apply generic exploits like these from > metasploit to a specific customer situation. > in my experience, nearly all sites have some serious security flaws even > if tools like nessus say the contrary. there may be self-coded > applications or software that is not widely known or tested so they're > not found in any vulnerability database. or, if that is not the case, > you may even find new flaws in well-established software. > IMHO you can not deliver a reasonable security assessment until you have > checked everything by hand. > > > regards, > -- > _____________________________________________________ > > ~ DI (FH) Bernhard Mueller > ~ IT Security Consultant > > ~ SEC-Consult Unternehmensberatung GmbH > ~ www.sec-consult.com <http://www.sec-consult.com> > > ~ A-1080 Wien Blindengasse 3 > ~ Tel: +43/676/840301718 > ~ Fax: +43/(0)1/4090307-590 > ______________________________________________________ > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050927/2f581bbc/attachment.html
Powered by blists - more mailing lists