Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Penetration Testing considered harmful today..

From: Val Smith <mvalsmith () gmail com>
Date: Mon, 19 Mar 2012 23:03:44 -0600
Sounds very similar to things ive been saying in my talks for years, particularly the part about not simulating real 
attackers.

Specific adversary attack simulation is something we happen to do well, mostly because we also do alot of incident 
response and simulator development based on what we see in incidents. Fewer pentest orgs do ir, especially not full 
binary RE based ir, so its hard for them to transition to attack sims. Also common engagement scoping is not conducive 
to the most beneficial and complete styles of testing. Real testing is EXPENSIVE and takes a long time. Thankfully we 
are lucky with smart and forward thinking customers but in the industry there are definite signs of a bubble when it 
comes to traditional tests. 

Standard pentests are nearly useless ( for big business) and often detrimental.


Tnx for the thought provoking talk.

V.

Haroon Meer <haroon () thinkst com> wrote:


Hiya(s)

(This bounced around the twitters all day today but figured it would
be interesting to hear thoughts from DD)

At 44Con-2011 we did a presentation titled: "Penetration Testing
considered harmful today"

The central thesis of the talk is that penetration testing has
established itself as a necessary activity for securing a network and
is now pushed forward by a multi million dollar industry despite the
clear signs that it is not helping all that much.

A link to the annotated slides and the video can be seen at:
http://blog.thinkst.com/2012/03/penetration-testing-considered-harmful.html

/haroon

-- 
Haroon Meer | Thinkst Applied Research
http://thinkst.com/pgp/haroon.txt
Tel: +27 83 786 6637
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
http://lists.immunityinc.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
http://lists.immunityinc.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: