By: Jerome

Jerome — Mon, 18 Nov 2013 23:11:12 +0000

Thanks for the comments. I agree with you that pen-tests should be just one element in an overall process but I’d add that pen-tests aren’t meant to find systemic flaws in a comprehensive fashion – that should be the job of architecture reviews, etc. Some organisations see pen-tests as validating their entire set-up, which is of course unrealistic. In the relatively short period of time a pen-tester is given, that’s just impossible, which is why a pen-test has a scope, with a well-defined target area. I agree that a good pen-test report should take the wider view and pick up on architectural weaknesses where the test results have proven such a flaw. That’s the difference between a customised report and a copy-and-paste job from the output of [insert_tool_of_choice].

By: 2cents

2cents — Fri, 15 Nov 2013 13:53:54 +0000

My 2 cents:

Pen tests (in the way they are typically handled) are useless. Vulnerabilities are dealt with on a case by case basis rather than highlighting the systemic flaws within a system/network.

Consider the scenario:
Web facing box compromised via Tomcat, jump to backed db box, elevate privilege with default sa account, gain access to system with xp_cmdshell, steal domain creds, compromise domain.

Report:
Patch tomcat, disable sa account, turn off xp_cmd shell, done.

This is one attack path taken care of but the systemic flaws in the network still remain. Next pentest, similar report comes out again.

The actual “fixes” to the systemic issues require effort, explanation and time – insufficient patching procedures, no DMZ, different domain/trusts between DMZ domain/internal domain, Insufficient domain password policies, etc. None of which most pen testers can offer or have the skills to offer these days.

Pen tests only make up a small offering in the overall scheme of things IMHO.

Comments on: Defence In Depth Penetration Testing

By: Jerome

By: 2cents