Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs)

[Omar Herrera <oherrera () prodigy net mx>]

----- Mensaje original -----
De: AdamT 
> On 8/3/05, Daniel Miessler <daniel () dmiessler com> wrote:
> > So yeah, the differences are very important, as is knowing where you
> > truly stand. The vast majority of "pentesters" are just security
> > professionals running security tools; there's no creativity, no
> > innovation, no spark.
>
> Whilst creativity, innovation and 'spark' (enthusiasm?) are certainly
> requirements, there does have to be a certain amount of 'predictable'
> work done too.

I totally agree with Adam. creativity and innovation  are important characteristics of a good pentester, but equally or 
more important than these is the ability to execute a pentest in an orderly, well documented and manner (e.g. tests 
that can be reproduced and that clients can clearly verify that are well within scope).

In other words, a pentester can't just sit back for hours  waiting for a rush of inspiration; creativity an innovation 
should be applied during the late parts of the engagement (e.g. checking and exploiting home-made applications), but 
many times pentesters tend to forget that pentester != hacker. Pentesters have deadlines, as well as scope and legal 
requirements, and many times we see people go beyond the engegaement's scope or not complying with it, just because 
they focused so much in a “creative” way to handle a specific point that they got too interested in.

Relying solely on creativity and innovation is as bad as just handing reports generated by tools without any further 
analysis and verification. Moreover, I’m convinced that pentest engagements should be based on order strict procedures 
and standards, with creativity and innovation being used as support for specific tasks (where are appropriate, as time 
and resources permit), and not the other way around.

One final comment on this. Creativity and innovation are very valuable, and indeed hard to find; yet, it is through a 
good, well written report that a pentester will be able to show to clients client how good he/she is at them. A badly 
written and disorganized report will leave a bad impression, no matter how creative the pentester was.

Regards,

Omar Herrera


------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------