http://matasanochargen.disqus.com/enFri, 19 Jun 2009 22:19:41 -0000http://www.matasano.com/log/1026/seven-deadly-pen-test-sins/#comment-11490942Nice post Dave.. Even a professionals are having a hard time to this..iketz001Fri, 19 Jun 2009 22:19:41 -0000http://www.matasano.com/log/1026/seven-deadly-pen-test-sins/#comment-2323662@sigsegv <br><br>in term of QA is the pure hacking (more chaos related ;)) the wrong approach. a good pentester should work with prepared checklist (testcase description., passed/failed criteria) and a well defined method and more structured (reusability and repeatability ). no one says that a pentester with a QA background cant hack with creativity...<br><br>to point number 7: a pentest should understand and explain the BUSINESS IMPACT of a vuln.<br><br>;)Sven WeizeneggerSat, 15 Mar 2008 16:20:45 -0000http://www.matasano.com/log/1026/seven-deadly-pen-test-sins/#comment-2323661This is a fantastic post. I've written before about some of the qualities that make a penetration tester a good one, but over time even an expert can fall prey to the problems you listed out. Even the best can get lazy.Tyler ShieldsFri, 14 Mar 2008 10:44:31 -0000http://www.matasano.com/log/1026/seven-deadly-pen-test-sins/#comment-2323660sigsegv: I think you're right, but there are also multiple approaches to pen-testing. Some people spend months at one client, meticulously mapping a network. Others, due to various factors, spend a week and have to take a less formal approach. I think as long you do your due-diligence in scanning and documenting the network in the beginning (at least as far as IPs/ports), you can responsibly sample and creatively assess it without being too structured.send9Fri, 14 Mar 2008 09:10:11 -0000http://www.matasano.com/log/1026/seven-deadly-pen-test-sins/#comment-2323659Dr. Neal Krawetz: I'm going to have to disagree with you here. I've had more success with semi-randomly going through a network letting my intuition guide me rather than following some overly "structured" approach. <br><br>For me, hacking is a creative process rather than a 9 to 5 day job.sigsegvFri, 14 Mar 2008 08:30:43 -0000http://www.matasano.com/log/1026/seven-deadly-pen-test-sins/#comment-2323658bobdole: Well, that's what RSS feeds are for ;)<br><br>Great post, though I think because I try not to be guilty of #5 I become guilty of #1.send9Thu, 13 Mar 2008 13:11:44 -0000http://www.matasano.com/log/1026/seven-deadly-pen-test-sins/#comment-2323657"Seven Deadly Pen Test Sins"? You have a good list, but what about:<br><br>- Get it in writing. If you don't have a written agreement to do the testing, signed by someone with the authority to grant permission, then don't start. (Don't do the crime if you can't do the time.)<br><br>- Scope and Target. You brushed this topic in 1, 2, and 7. Basically, you need to know what to look at and what to look for. It's great to identify that they are using an F5 load balancer and showing that there is an inherent vulnerability in them. But unless the customer is F5, there is no point in doing a deep pen-test of the load balancer.<br><br>- No plan. A good pen-test should end with a map of the system, dependencies, etc. If you're testing a network, then there should be a detailed map of the network discovered by the pen-tester. If you're testing an application then you should have a design architecture as seen by the pen-tester. Without this, the customer will know that the tester was just bouncing around from random exploit to random exploit.Dr. Neal KrawetzThu, 13 Mar 2008 09:15:01 -0000http://www.matasano.com/log/1026/seven-deadly-pen-test-sins/#comment-2323656oh come now, you just posted that so that I would continue to read this site even though I see no content day after day...bobdoleWed, 12 Mar 2008 19:59:30 -0000http://www.matasano.com/log/1026/seven-deadly-pen-test-sins/#comment-2323655Great post Dave :)Stefano ZaneroWed, 12 Mar 2008 07:03:44 -0000