DISQUS

Hello! Matasano Chargen is using DISQUS, a powerful comment system, to manage its comments. Learn more.

Community Page

www.matasano.com/log Jump to website »

Subscribe
- New Comments
Community
Top Commenters
- sohbet
  53 comments · 1 points
- tqbf
  15 comments · 1 points
- ChrisMtso
  12 comments · 1 points
- StatlerAndWaldorf
  12 comments · 3 points
- Eric Monti
  11 comments · 1 points
Popular Threads
- Introduction and a Brief Glimpse into the Inner Workings of Matasano
  1 week ago · 6 comments
- A Working Theory About RC4
  1 month ago · 11 comments
- Ruby for Pentesters - The Dark Side I: Ragweed
  2 weeks ago · 5 comments
Recent Comments
- Congratulations Cory! You do great in this Matasano’s Chicago consulting practice. Hope you’ll be more supportive to your people and never get tired in rendering your supports. Well by now, I know...
  1 day ago by Bruno_Today_Show
  
  in Introduction and a Brief Glimpse into the Inner Workings of Matasano
- This talked have been interesting and exciting..
  1 day ago by individual health insurance,
  
  in All Eyes On ToorCon
- Great post.. I really love reading in this site.. I really learn a lot..
  1 day ago by individual health insurance,
  
  in The SocGen fraud scandal
- I like the way you tried explaining the concepts behind the issue. It makes readers want to scroll down and read word after word. However there were certain parts where it gets a little confusing...
  1 day ago by creditcardquick.com
  
  in A Case Against DNSSEC, Count 1: Solves A Non-Problem
- You right vulnerability does sells, It has happened to me.
  1 day ago by Julie Harris
  
  in Laziness Of A Blogger At Midnight

Matasano Chargen

Jump to original thread »

On The Different Types Of Penetration Tests

Started by tqbf · 10 months ago

There are two types of “penetration testing” services, each
different. I’ll spell them out, and introduce a “third”.

Network Penetration Testing involves a team attempting to break
into your network or servers. This is what jum ... Continue reading »

10 comments

Chris_B
2 years ago

TP,

The transgressive bit didnt come at the end. The thing which is going to upset alot of pester divas of all types is the fact that this stuff really is QA processes.

reply

Thomas Ptacek
2 years ago

I agree, a lot, but from experience a shrink-wrap pentest usually requires more code than an average QA person can turn out in a tight time frame.

reply

Chris E
2 years ago

Chris_B, though pen testing can be classified as QA and the lines are becoming increasingly blurred between the two, QA tends to be more scripted than pen testing and usually doesn't require building customized tools each time. Product (or shrink-wrap) pen tests require a very different skillset, and they are few and far between.

reply

Jordan Wiens
2 years ago

Great writeup, Thomas. If I thought I could get away with it, I'd use web pester and web pesting in an article I'm writing now on webapp scanners.

One minor nitpick -- I'd suggest that methodology is crucial for web pentesting as well. In fact, I think it's even more crucial than network pentesting.

Mainly because a big web app actually has a much bigger attack surface area that has to be mapped out than your average network (assuming we're discounting web-apps from the network segment), and the details of that surface area are theoretically totally new to you each time. There are so many nooks and crannies that it's really important to have a good methodology to be repeatable and thorough. Of course, you need experience as well, I definitely agree with that.

reply

Thomas Ptacek
2 years ago

Purely subjectively, the word "methodology" scares me. In the best circumstances, a methodology is a safety net, keeping you thorough and accurate even if your head isn't in the game. But if your head isn't in the game, don't test. People rely on your results to assure my mom's credit card numbers.

reply

Chris_B
2 years ago

TP,

OTOH a methodology can be good for people whose heads are too much in the game, forcing them to mind the shot clock and get the rest of the work done.

Chris E,

Even now a certain percentage of pesting can be automated and can spot the low hanging fruit. I expect that this percentage will rise over time. Of course human eyes will always spot more, but eliminating some problems before shipping is better than waiting for someone else to identify those problems for you.

reply

Anonymous
2 years ago

Just the description of web pentest strikes me as silly... "A team is given accounts"... How about looking at the code, Sherlok? As Ranum beautifully puts it - you have an application you don't understand and you shell out money for someone who doesn't understand it, and doesn't even look at the code, in the hopes they'll make it secure. When you think about it it's just ludicrous. Don't give me the "simulate an attacker" talk, that's just idiotic.

There are people hired to do these things couldn't program themselves out of a hello world and they're supposed to say what's broken with an application? What's broken is that some clueless person is shelling out money for "penetration testing"... How about shelling out money for code reviews and for having top notch programmers that understand security?

How about spending your time coming up with solutions for secure coding and design of these things instead of searching for the 1001th variation of a flaw here and there? Yes, I know it's not so cool and you won't be a "mercenary" badass, but maybe you'll actually change the world for the better? I'm tired of this arrogant talk. It's always me, me, me - I can break, I can hack, all books suck (unless of course they teach how to pentest), all certifications suck, all software sucks, and no advice on how to actually improve anything. Blargh.

reply

Dave G.
2 years ago

Anonymous:

We agree! However, most companies just don't want to share source code to their applications with third parties. And most companies have a business need to have an independent third party review their application. For example, their customer might demand it. So, on one side, a company needs to have someone outside of its organization perform a security review, on the other side, they want to protect their intellectual property.

Code reviews and penetration testing will find different bugs. Most companies that do one will also do the other.

Some people are really good at software development and penetration testing. You are pigeonholing an industry based on some of the people inside of it.

reply

Some other Dave
1 year ago

Anonymous -

First, the goals of a web app "pen test" can be different than trying to secure it. Sure, securing it is the ultimate goal, but 100% of the multi-billion dollar companies that I consult with do pen tests to confirm that they don't have any vulnerabilities. The reality is, I've never seen a web app without some flaw - however serious. These organizations usually DO have a security development lifecycle, have very intelligent and security-saavy developers, and incredibly layered security review processes. This doesn't mean that there will never be vulnerabilities, and no amount of developer training will ensure apps are always secure.

Another thing I'd like to state is that I usually don't need the code. When I test an app, I can usually tell you what the code looks like behind the vulnerability. In my experience, rarely does a code review turn up new vulnerabilities - though it might locate more instances through root-cause analysis and point out other broken security practices.

I guess my point for this entire post is to say the pen testing definitely does have value. Our customers go much further knowing where the issues are really at. It can then be used as a metric to improve future development practices and create better and more secure apps.

reply