what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Sunday, January 30, 2011

If They scan and paste, why not just buy the tool!

As an Infosec specialist, you might have worked with tools like Nessus, Appscan, Acunetic etc. Well these tools kind of give a pentester an easy time during an engagement.

Organization throughout the world who have security departments that test vulnerabilities in a daily basis use the same tools for easier scans on their subnets, but they also contract Security Specialists for a view above the scope. Its more money on their budgets so they always expect a better addition of the value they are procuring for.

The other day, i was looking at some reports done by a very powerful company that specializes with AV (Anti-virus)and also on with PT(Penetration Testing). From such AV cooperations i was expecting real good reports but all i could see were copy pastes from Nessus plugins. Many question unanswered there......

One of the questions i asked myself was, why not just buy a scanner and leave it running for your report?

Another question that truly comes up is, will the bad guys be doing the same?

Anyone who has answers, please post below.



Happiness said...

Great article,
I realised most so called security professionals capitalise on their organizations ignorance to excel. Thanks for this.


Kenn said...

One would argue that if you're going to pay millions to some to run a tool and copy paste the results in a nicely done spreadsheet, might as well buy the tool and read a HOWTO.I think all pentesters should have good coding skills to go over and above the use of the tools. Be able to write custom scripts to pentest vulnerabilities.

#MyTwoCents. :)

chuksjonia said...

Yeah. If you don't code anything, why Pentest applications.

Gramware said...

Awareness is lacking, this guys have no idea what Security is and they think a CEH certificate means a very qualified consultant.

mbx said...

Dito that, great article indeed. The aspect of why these all in one pentest solutions came about stems from automating what a real security tech would do by hand. For a real security teches who is versed, great save of time.

However, this has spawned additional subscription to the point and click generation. As Kenn said, pnetest and sec folks should have at least some degree of coding skill. Even in that real we have the script-kiddie mass.

Didn't someone say as technology gets smarter, we get dumber or something like that?