Comments on: Pentesting: Do you need “coverage” ? http://blogs.sans.org/appsecstreetfighter/2009/09/30/pentesting-do-you-need-coverage/?utm_source=rss&utm_medium=rss&utm_campaign=pentesting-do-you-need-coverage The Application Security Street Fighter Blog Tue, 16 Mar 2010 17:01:03 +0000 http://wordpress.org/?v=2.9.1 hourly 1 By: CG http://blogs.sans.org/appsecstreetfighter/2009/09/30/pentesting-do-you-need-coverage/comment-page-1/#comment-1136 CG Fri, 02 Oct 2009 01:55:01 +0000 http://blogs.sans.org/appsecstreetfighter/?p=3086#comment-1136 you've done an excellent job describing a few issues. First is that developers are not pentesters and usually shouldn't be. mostly because they look as the problem as an problem with a single application and not how all those issues fit together as its related to your network security posture and for protection of your critical assets/data/or IP. Second, you've described perfectly what should go on during a vulnerability assessment and application (source) review and not a pentest. we need to get away from "pentests" that attempt to find every possible vulnerability, those are vulnerability assessments or if you want to justify your existence vulnerability assessments with exploitation or vulnerability assessment with source code audit and not pentests. Its time for a pentest when you've done all the things you mentioned in your posts and you think your app is good to go & no one can break it or into it. Or more importantly you think you can catch the attacker once he's in your network and one 0day doesnt ruin your whole day. Your find every vulnerability pentest can be / should be/ and rapidly is being replaced by a monkey with a scanner or an appliance in a rack. see chris nickerson for the rest of the rant... you’ve done an excellent job describing a few issues.

First is that developers are not pentesters and usually shouldn’t be. mostly because they look as the problem as an problem with a single application and not how all those issues fit together as its related to your network security posture and for protection of your critical assets/data/or IP.

Second, you’ve described perfectly what should go on during a vulnerability assessment and application (source) review and not a pentest.

we need to get away from “pentests” that attempt to find every possible vulnerability, those are vulnerability assessments or if you want to justify your existence vulnerability assessments with exploitation or vulnerability assessment with source code audit and not pentests.

Its time for a pentest when you’ve done all the things you mentioned in your posts and you think your app is good to go & no one can break it or into it. Or more importantly you think you can catch the attacker once he’s in your network and one 0day doesnt ruin your whole day.

Your find every vulnerability pentest can be / should be/ and rapidly is being replaced by a monkey with a scanner or an appliance in a rack.

see chris nickerson for the rest of the rant…

]]> By: Robert http://blogs.sans.org/appsecstreetfighter/2009/09/30/pentesting-do-you-need-coverage/comment-page-1/#comment-1111 Robert Thu, 01 Oct 2009 15:07:19 +0000 http://blogs.sans.org/appsecstreetfighter/?p=3086#comment-1111 WoW. Excellent article. WoW. Excellent article.

]]> By: Yaggi http://blogs.sans.org/appsecstreetfighter/2009/09/30/pentesting-do-you-need-coverage/comment-page-1/#comment-1086 Yaggi Thu, 01 Oct 2009 01:08:21 +0000 http://blogs.sans.org/appsecstreetfighter/?p=3086#comment-1086 Honestly, its very hard to level the standard between pen-testers and software QA/developers. I believe Software QA/developers focus on functionality and requirements specs as the scope of their work while pen-testers go further in a very technical level. But I agree that somehow the level should be reach or meet in some aspects and the framework must be solid to reach the level of maturity. Honestly, its very hard to level the standard between pen-testers and software QA/developers. I believe Software QA/developers focus on functionality and requirements specs as the scope of their work while pen-testers go further in a very technical level. But I agree that somehow the level should be reach or meet in some aspects and the framework must be solid to reach the level of maturity.

]]>