I personally think there is room for people to have stronger skills in
one area or other, but I truly think that once you go down the route of
"I'm an pentest dog" or "I just do web apps" (or any other kind of
exclusive club), then you have a situation where you get an unbalanced
response, and the customer (anyone remember them?) loses out. They lose
because they are the recipient of (to use the article's words) a
consultant with tunnel-vision. And I don't personally think that it is a
good thing.
The problem with only focusing on the big stuff, to the extent of
building a working custom exploit, is that if you're putting all your
precious project time into this then you won't be getting the breadth
that is required to cover off all the bases. And likewise, if your
reports consist of a hundred chaff findings with minimal risks, but (I
like big butts and I can not lie) you haven't also put in the work to
understand that a combination of four trivial findings (chained attack)
actually gets you a compromised user account, then you have also failed
the client.
At Corsaire, we periodically get approached by a potential client to do
what we call clean-ups. A confidential post-hack analysis, so that they
can understand what went wrong and fix their processes and approach to
security. And generally, the broken environment will be tested
regularly. How can this be so? Because the reports we see are often a
waste of time. I've seen reports from house-hold name security vendors
that, for example, put the project time (and pages of report verbiage)
into building a custom java client to interact directly with a
middleware component. Very clever really. But they put so much time into
this, they skipped the basics, and missed a bunch of pre-login XSS etc,
which is actually how the environment got spanked in the end. And anyone
who hands us a report printed out solely from a scanning tool just gets
a sneaky snicker out of us.
So, after all that rambling, my message is simple. If you think you're
in a camp, and you think your doing it better, then you're most likely
wrong.
Martin...
I personally think there is room for people to have stronger skills in
one area or other, but I truly think that once you go down the route of
"I'm an pentest dog" or "I just do web apps" (or any other kind of
exclusive club), then you have a situation where you get an unbalanced
response, and the customer (anyone remember them?) loses out. They lose
because they are the recipient of (to use the article's words) a
consultant with tunnel-vision. And I don't personally think that it is a
good thing.
The problem with only focusing on the big stuff, to the extent of
building a working custom exploit, is that if you're putting all your
precious project time into this then you won't be getting the breadth
that is required to cover off all the bases. And likewise, if your
reports consist of a hundred chaff findings with minimal risks, but (I
like big butts and I can not lie) you haven't also put in the work to
understand that a combination of four trivial findings (chained attack)
actually gets you a compromised user account, then you have also failed
the client.
At Corsaire, we periodically get approached by a potential client to do
what we call clean-ups. A confidential post-hack analysis, so that they
can understand what went wrong and fix their processes and approach to
security. And generally, the broken environment will be tested
regularly. How can this be so? Because the reports we see are often a
waste of time. I've seen reports from house-hold name security vendors
that, for example, put the project time (and pages of report verbiage)
into building a custom java client to interact directly with a
middleware component. Very clever really. But they put so much time into
this, they skipped the basics, and missed a bunch of pre-login XSS etc,
which is actually how the environment got spanked in the end. And anyone
who hands us a report printed out solely from a scanning tool just gets
a sneaky snicker out of us.
So, after all that rambling, my message is simple. If you think you're
in a camp, and you think your doing it better, then you're most likely
wrong.
Martin...
