[Dailydave] Defending the honor of...penetration testing tools

Anton Chuvakin anton at chuvakin.org
Tue Feb 12 20:54:38 EST 2013


On Tue, Feb 12, 2013 at 9:50 PM, Dave Aitel <dave at immunityinc.com> wrote:

>  So as you can see below, I'll be at RSA asking Andrew Jaquith why on
> earth he thinks penetration testing tools are evil. To be honest, I have no
> idea. Does that also imply penetration testing is evil, or is he saying
> that penetration testing tools make people lazy and therefor you get better
> penetration tests without them, in which case I'll try to get him to write
> his future papers without a keyboard or something.
>


Well, I can't say why he thinks they are evil, but I often thought that
their NAME is. Often, when I hear people say "penetration testing tools"
they *automatically* assume that "running that tool == penetration test."
After all, "X tool" in many minds means "tools that does X."  Penetration
tools, last time I checked, don't DO penetration testing. Humans do.  You
can insert all the jokes about stupid people and all, but this sentiment is
very, very contagious.

Therefore I often avoided naming them in my work and instead used
some kludge like "exploitation tools", or (please don't laugh) "tools
[somewhat] helpful during penetration testing."

-- 
Dr. Anton Chuvakin
Site: http://www.chuvakin.org
Twitter: @anton_chuvakin
Work: http://www.linkedin.com/in/chuvakin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20130213/b037e309/attachment.html>


More information about the Dailydave mailing list