True penetration testing?

Posted by Tate Hansen Mon, 05 May 2008 04:45:00 GMT

This from the new PCI information supplement: (regarding the required annual penetration testing for compliance)

The penetration tests should attempt to exploit vulnerabilities […] attempting to penetrate both at the network level and key applications

Really? I laughed when I read this, seriously. It made me think for a second about how many consultants really have the skills to chef-boy-ar-dee exploits under pressure. It’s clear too; this is not about a vulnerability sweep, they want you to bust in.

Penetration testing [..] should occur from both outside the network trying to come in (external testing) and from inside the network.

Wow. True penetration testing from inside the network? How many internal networks have you seen that would survive a blitzkrieg attack from a good penetration test team?

PCI states:
“resources must be experienced penetration testers”

What does that mean?

I’m sure the PCI council is of compos mentis, and I’m not trying to rain on the PCI council or ASVs or QSAs, though it’s funny the council points out that “The PCI DSS does not require that a QSA or ASV perform the penetration test”. That statement wouldn’t be because most of them couldn’t penetration test there way out of a paper bag even if they were handed a loaded metasploit gun, right?

With the huge number of companies bemoaning PCI compliance, I just don’t see most getting a true penetration test. I guess I could be reading too much into this. Maybe the skills bar level I consider for experienced penetration testers is way higher than what the PCI council considers experienced or what others consider experienced or good?

Do you have penetration testing skills? What does that mean to you? Do you think most of the companies that buy a penetration test actually get one?

Tags , , , , , , , , ,  | 3 comments

The booming exploit market and bye bye to swaths of products

Posted by Tate Hansen Fri, 01 Feb 2008 06:50:00 GMT

There are lots of articles mentioning the Digital Armaments bounty for exploits. I wrote a snippet on the commercial exploit market about a month ago, whereby I was simply listing the prices for subscribing to the different exploit houses.

I guess I forgot to consider another complexity of all this and that is from the influence the organizations who compete to purchase exploits are having (e.g. iDefense, 3COM/TippingPoint, Governments, people and groups w/lots of money).

I wonder how extensive this really goes – I mean, it seems this market is in a boom of sorts which implies there are lots of private exploits trading hands. Exactly how many would be interesting to know. Hell, any numbers would be nice.

One thing is apparent though, if this market continues to grow then how can any security products based on “knowing attacks” succeed? They won't. An IDS vendor is not going to be able to afford to purchase all; no company will have a monopoly.

Tags , , , , , , ,  | no comments

“Big money! Big prizes! I love it!”

Posted by Tate Hansen Fri, 28 Dec 2007 15:57:00 GMT

Smash TV quotes. Love ‘em.

Speaking of big money, the commercial exploit market’s growth isn’t making it any easier to bid on penetration test gigs. If you want to provide the highest assurance you’re capable of to clients, then of course you would like to have your hands on all the exploits out there, both public and private.

product to start quarterly total
d2 $1,950 $850 $5,350
gleg $1,400 $700 $4,200
argeniss $1,000 $500 $3,000
canvas $1,450 $730 $4,370

And the crème of the crop:
Immunity Sec’s Vulnerability Sharing Club $50,000 - $100,000 per year

Attacking with anything less in hand tends toward negligence, especially if you do so without disclosing what you’re missing. Pay to have all and you’ve likely priced yourself out of competitive bids.

The winners here, again, are the attackers.

“Good Luck… you’ll need it!”


Tags , , , , , , , , ,  | 2 comments