From: Tim (tim-pentestsentinelchicken.org)
Date: Fri Jul 17 2009 - 12:20:00 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Adriel,

I agree with the vast majority of what you're saying. I work as an
application penetration tester, amongst other things, and the crew I
work with is very hands-on. On numerous occasions I've performed
testing on environments that had previously been tested by other
vendors, only to find dozens of vulnerabilities that they hadn't found
because of the problems you mention with highly automated testing.

However, I take issue with this:

> • Ask them for the names of their security experts and then use tools
> like Google, LinkedIn, Facebook and PIPL to do research on those
> experts. If nothing comes up then chances are their experts aren’t
> experts at all.

Do I really need a Facebook page to be a security expert? There are
plenty of very sharp testers out there who don't relish the lime light
and don't spend their free time blogging about the little hacks they
found this week. Also, many might post under pseudonyms to help
separate their private research activities from work-related ones.

That's not to say doing background research on their consultants isn't
useful, but you can't rely on experts always showing off their stuff.

tim

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]