Re: All of the things you need to learn to be a pen-tester (Re: Pen t est basic needs)

From: Omar Herrera (oherrera@prodigy.net.mx)
Date: Fri Aug 05 2005 - 09:30:44 EDT


----- Mensaje original -----
De: AdamT
> On 8/3/05, Daniel Miessler <daniel@dmiessler.com> wrote:
> >
> > So yeah, the differences are very important, as is knowing where you
> > truly stand. The vast majority of "pentesters" are just security
> > professionals running security tools; there's no creativity, no
> > innovation, no spark.
>
> Whilst creativity, innovation and 'spark' (enthusiasm?) are certainly
> requirements, there does have to be a certain amount of 'predictable'
> work done too.

I totally agree with Adam. creativity and innovation are important characteristics of a good pentester, but equally or more important than these is the ability to execute a pentest in an orderly, well documented and manner (e.g. tests that can be reproduced and that clients can clearly verify that are well within scope).

In other words, a pentester can't just sit back for hours waiting for a rush of inspiration; creativity an innovation should be applied during the late parts of the engagement (e.g. checking and exploiting home-made applications), but many times pentesters tend to forget that pentester != hacker. Pentesters have deadlines, as well as scope and legal requirements, and many times we see people go beyond the engegaement's scope or not complying with it, just because they focused so much in a “creative” way to handle a specific point that they got too interested in.

Relying solely on creativity and innovation is as bad as just handing reports generated by tools without any further analysis and verification. Moreover, I’m convinced that pentest engagements should be based on order strict procedures and standards, with creativity and innovation being used as support for specific tasks (where are appropriate, as time and resources permit), and not the other way around.

One final comment on this. Creativity and innovation are very valuable, and indeed hard to find; yet, it is through a good, well written report that a pentester will be able to show to clients client how good he/she is at them. A badly written and disorganized report will leave a bad impression, no matter how creative the pentester was.

Regards,

Omar Herrera

------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:42 EDT