Penetration Testing mailing list archives
Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs)
From: Omar Herrera <oherrera () prodigy net mx>
Date: Fri, 05 Aug 2005 08:30:44 -0500
----- Mensaje original ----- De: AdamT
On 8/3/05, Daniel Miessler <daniel () dmiessler com> wrote:So yeah, the differences are very important, as is knowing where you truly stand. The vast majority of "pentesters" are just security professionals running security tools; there's no creativity, no innovation, no spark.Whilst creativity, innovation and 'spark' (enthusiasm?) are certainly requirements, there does have to be a certain amount of 'predictable' work done too.
I totally agree with Adam. creativity and innovation are important characteristics of a good pentester, but equally or more important than these is the ability to execute a pentest in an orderly, well documented and manner (e.g. tests that can be reproduced and that clients can clearly verify that are well within scope). In other words, a pentester can't just sit back for hours waiting for a rush of inspiration; creativity an innovation should be applied during the late parts of the engagement (e.g. checking and exploiting home-made applications), but many times pentesters tend to forget that pentester != hacker. Pentesters have deadlines, as well as scope and legal requirements, and many times we see people go beyond the engegaement's scope or not complying with it, just because they focused so much in a “creative” way to handle a specific point that they got too interested in. Relying solely on creativity and innovation is as bad as just handing reports generated by tools without any further analysis and verification. Moreover, I’m convinced that pentest engagements should be based on order strict procedures and standards, with creativity and innovation being used as support for specific tasks (where are appropriate, as time and resources permit), and not the other way around. One final comment on this. Creativity and innovation are very valuable, and indeed hard to find; yet, it is through a good, well written report that a pentester will be able to show to clients client how good he/she is at them. A badly written and disorganized report will leave a bad impression, no matter how creative the pentester was. Regards, Omar Herrera ------------------------------------------------------------------------------ FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 -------------------------------------------------------------------------------
Current thread:
- Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) Daniel Miessler (Aug 03)
- Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) Bernhard Mueller (Aug 04)
- Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) AdamT (Aug 04)
- RE: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) AEHeald (Aug 04)
- <Possible follow-ups>
- Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) Omar Herrera (Aug 05)
- Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) s0u1d13r s0u1d13r (Aug 06)
- Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) Matt Reid (Aug 06)
- What are some good sources to keep me up top :) ? Pigeon (Aug 06)
- Re: What are some good sources to keep me up top :) ? Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Aug 07)
- Re: What are some good sources to keep me up top :) ? AdamT (Aug 07)
- Re: What are some good sources to keep me up top :) ? Pigeon (Aug 07)
- Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs) Nick Waringa (Aug 09)