Marcus Ranum downplays importance of Pen Test Tools like Metasploit - opinions?

[jackadaniel at gmail.com (Jack Daniel)]

One thing Marcus said which I think is dead on is that if you have to
"rub someone's nose in it" to convince them they have a problem
(actually exploit a vuln and compromise something) we're already
screwed.  How do you create a secure environment if decision makers
minds are set to default-ignore?  If I were an optimist, I would say
people learn and change. Then again, if I were an optimist, this would
be a poor career choice.


Jack


2008/10/29 Bugbear <gbugbear at gmail.com>:
> So I was listening to the Risky Business Podcast this AM (#85) on my commute
> in (right after finishing part II of pauldotcom) and they had Tenable
> Network Security's CSO Marcus Ranum on. Marcus stated that he felt tools
> such as Core and Metasploit had no usefulness in pen test. He emphasised
> that a design review and vulnerability scanning should be enough.
>
> While I may have misunderstood his statements and I do agree design/config
> reviews and vulnerability scanning needs to be the first and second step of
> any regular review, pen test, etc... I completely disagree on his comments
> on using such aforementioned tools in conjunction with products such as
> Nessus. i.e. Nessus is not going to tell me if my blackberry user is
> connecting to free wifi and is vulnerable to Karma, etc..
>
> Thoughts, comments, opinions? Interested in what the viewpoint of the broad
> background of pauldotcom listeners! Or maybe someone can clarify his
> comments for me.
>
> Tim
>
>
>
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com



-- 
______________________________________
Jack Daniel, Reluctant CISSP
http://blog.uncommonsensesecurity.com
http://www.linkedin.com/in/jackadaniel