Reasonable expectations?
I’m seeing RFPs (Request for Proposal) with language like:
"Exploitation should be performed using tools and techniques for which there is a reasonable expectation would mirror common tools and techniques used by potentially malicious users."
Ok, that’s loaded. What are 'common tools and techniques'? For tools, is it Fyodor's Top 75 Security Tools? Metasploit is not listed there, CANVAS and Core Impact are mentioned but are not listed as one of the 75, so are those reasonable? How about app specific tools like WebInspect or Appscan? What about converting a PoC exploit from FrSIRT's database? You have no developer friends? Alright, but if you're a steadfast malicious user and somewhat savvy, I'd bet you would pay for a nice VulnDisco Pack, especially if what you're after is more valuable to you or someone else.
This gets tricky to accurately nail down – the what is reasonable part – and think about the costs of using, say, 5 of these commercial tools. You’d be at $20,000 after negotiations. That’ll sure win you the bid.
My point is you can easily make arguments for any of the tools listed above, not to mention the 100s of free tools available. Technique likely has less common ground. Some like to say penetration testing is worthless, but I think that argument fits the idealist versus realist debate. If there is a demand for this service, I see no reason why not to try win work if you play in this field. It is just super hard to succinctly provide enough information to a client to enable them to differentiate and make a quality decision.
Probably a good question to submit when responding to similar RFPs goes something like: ‘Ok. You want reasonable assurance you can’t be compromised. Considering your definition of a ‘malicious user’, what do you consider the greatest amount of resources (i.e. time and money) a malicious user may dedicate?’ I think that get’s you closer to what the client really wants.
