Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1998

NFR Wizards Archive: RE: Penetration testing via shrinkware

RE: Penetration testing via shrinkware

McEwen, Don (dmcewennsf.gov)
Thu, 3 Sep 1998 14:37:51 -0400

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Paul McNabb: "Re: password aging"
Previous message: Vanja Hrustic: "Re: Penetration testing via shrinkware"
Next in thread: Gary Crumrine: "RE: Penetration testing via shrinkware"

I'd like to agree that a human can do a much better job,
however "For everything there is a season, and a time to every purpose
under the heaven." [Prov 3:1]

I recently had to scan several http hosts that I don't manage for a
particular
vulnerability. I spent better part of 2 hours to look for this particular
vulnerability on about 20 hosts. Sure I could have typed faster and
had a better methodology but an automated tool that would check them should
have taken 5 minutes or less.

My experience is that we have more "users" publishing web pages off the
desktop
or "user" department with their own web servers and other vulnerable
machines.
I'd think that the human would do a better job, but what seems to happen in
these
cases is that the IT department doesn't have staff necessary to support an
unlimited number of servers and most just don't get any checking at all. An
automated tool would at least give some protection.

Don McEwen

> -----Original Message-----
> From: Marcus J. Ranum [mailto:mjrnfr.net]
> Sent: Thursday, September 03, 1998 10:19 AM
> To: Stout, Bill; Firewall-wizards
> Subject: Re: Penetration testing via shrinkware
>
>
> >What are the opinions on the thoroughness of shrinkwrap software
> >penetration testing? Is today's shrinkware more capable for
> penetration
> >testing (a single machine) than a human?
>
> I guess it depends on the human! :)
>
> Can a program do a better job of testing than a lame, clueless
> human? Sure! Can a program do a better job of testing than a
> fairly experienced security guru? No. Can a program do a better
> job of testing than an 3ll33t? No.
>
> By extension, I'd assume that someone was a lamer if they were
> using shrinkwrap. I'd assume they were bringing no native
> expertise to the table, and I'd only pay them "shop time"
> rates (e.g.: about $25/hr) instead of consultant rates
> (you pay consultants for expertise not their ability to
> click 'go').
>
> One of the problems with shrinkwrap is that it's not a whole
> lot faster and it can overlook really stupid stuff that a
> human would detect in a heartbeat. For example, what about the
> customer who has a telnet listener on port 25 behind a screening
> router? The shrinkwrap will try to do DEBUG and WIZ on it but
> won't try to log in as root.
>
> mjr.
> --
> Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
> work - http://www.nfr.net
> home - http://www.clark.net/pub/mjr
>

Next message: Paul McNabb: "Re: password aging"
Previous message: Vanja Hrustic: "Re: Penetration testing via shrinkware"
Next in thread: Gary Crumrine: "RE: Penetration testing via shrinkware"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:46 CDT