[Dailydave] Penetration Testing considered harmful today..

Val Smith mvalsmith at gmail.com
Tue Mar 20 01:03:44 EDT 2012

Sounds very similar to things ive been saying in my talks for years, particularly the part about not simulating real attackers.

Specific adversary attack simulation is something we happen to do well, mostly because we also do alot of incident response and simulator development based on what we see in incidents. Fewer pentest orgs do ir, especially not full binary RE based ir, so its hard for them to transition to attack sims. Also common engagement scoping is not conducive to the most beneficial and complete styles of testing. Real testing is EXPENSIVE and takes a long time. Thankfully we are lucky with smart and forward thinking customers but in the industry there are definite signs of a bubble when it comes to traditional tests. 

Standard pentests are nearly useless ( for big business) and often detrimental.

Tnx for the thought provoking talk.


Haroon Meer <haroon at thinkst.com> wrote:

>(This bounced around the twitters all day today but figured it would
>be interesting to hear thoughts from DD)
>At 44Con-2011 we did a presentation titled: "Penetration Testing
>considered harmful today"
>The central thesis of the talk is that penetration testing has
>established itself as a necessary activity for securing a network and
>is now pushed forward by a multi million dollar industry despite the
>clear signs that it is not helping all that much.
>A link to the annotated slides and the video can be seen at:
>Haroon Meer | Thinkst Applied Research
>Tel: +27 83 786 6637
>Dailydave mailing list
>Dailydave at lists.immunityinc.com

More information about the Dailydave mailing list