NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Pen-test> 2008-10

Re: White box pentesting

From: Joey Peloquin (joeypcotse.net)
Date: Wed Oct 01 2008 - 08:23:54 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

dimkovtrajceyahoo.com wrote:
> Hi pentesters,
>
> i am planing to spend a considerate time of my phd (3 years) on developing a model/algorithm/tool that will help pen testers during white box penetration testing where they look at physical security of the building as well as pentesting when they are allowed to use social engineering. Before I start, i would like to know:
>
> 1. How often do you do whitebox pentesting?
> 2. How often are you pentesting physical security as part of the test?
> 3. how often are you allowed to use social engineering as part of the test?
>
> It will help me decide if i should continue working on this field, or switch to another.
>
> Thank you in advance,
> Dimkov

Hey Dimkov,

1. Rarely
2. Never
3. Almost never

In my experience, companies usually already know that physical security and
susceptibility to social engineering are their weak spots, and aren't
interested in paying us to tell them what they already know.

Furthermore, the vast majority of companies out there have a "check in the
box" mentality and therefore do the bare minimum to satisfy whatever
requirement is motivating them to do a PT in the first place. There are
exceptions, of course, but day to day, I find this to be the prevailing
attitude.

Good luck with your project.

-jp

--
"Companies will say, "We can Web 2.0ify your existing applications in 15
minutes - we've got a wrapper". These people are charlatans, and you should
punch them in the face. They are taking your back-end database tiers and
moving them to the perimeter." - Billy Hoffman, HPSW Security Labs

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]