NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Pen-test> 2009-07

Re: Verify Your Security Provider -- The truth behind manual testing.

From: Aarón Mizrachi (unmanarcgmail.com)
Date: Sat Jul 18 2009 - 12:52:34 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sábado 18 Julio 2009 04:58:59 Justin Ferguson escribió:
> > I'm a pentester, but i have to say that pentest is only the first stage
> > when you show the impact and risk of an attack to justify a more
> > extensive and white box based security plan.
>
> I'm curious as to your reasoning for not just skipping the foreplay
> assessment and selling the customer what they apparently needed in the
> first place (whitebox review), and to consider the ethical
> implications of charging your customer X thousand dollars for a
> service which is just the precursor to the service they needed/youre
> going to recommend at the end.
>

> Sans DRM, anti-debugging/disasm, et cetera related engagements, why
> would a blackbox assessment ever be better for improving the security
> of a client?

Good point!. I agree with you!.

I'll talk only about my experience. I worked for many projects which involves
many stages of the auditory process (forensic, pentesting, and even iso 27k1
complete audit)... And i have to say that companies doesn't like to put money
on security. Many times it happens when they have an incident... Reactive
security. (Even in companies with IT Security Department...)

This was only the introduction to my point. Not the reason to offer pentesting.

Reasons:

1- Since most of the companies doesn't like to invest in security because they
don't love/trust the Return of Investment (ROI) of security. They are putting
their trust in a new advanced firewall that comes in a box... remember: its a
box, they have a feeling of security on a material thing, and they can blame
the box when gets hacked. They can not blame the audit when they gets hacked,
because we work for statistics.

I know, this is a pirate behavior and it should be different in our times, but
is not different, therefore, you ask him for a pentest to open their eyes and
show how vulnerable they are.

Pentesting cost are peanuts compared to a full auditory process and they
usually prefer to confirm that they are vulnerable before they open a costly
budget on security (we offered the both at the same time, and the companies
prefer to do pentesting 9/10 times).

pentesting in conjunction with other studies can also be used to estimate the
risk impact and how much budget is justified to spend on a more extended
auditory.

2- The other justification to pentest is when the customer really don't have an
extensive budget to spend in security. Therefore, a very good pentest could
cover the most of the vulnerabilities with a lesser budget. (Better rather
than none).

--
Ing. Aaron G. Mizrachi P.

http://www.unmanarc.com
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503
BBPIN: 0x 247066C1

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEABECAAYFAkpiC+YACgkQ2ixydRu83wA8+QCfTC44ba70vUc4K/05NCwDsAxP
pfcAoMhTwmPhKTOSRvjY2PMPNZhnD0rB
=MwUo
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]