«

ZF05 and Pentesting

http://www.flickr.com/photos/43052603@N00/3391952890/

I’m sure you heard about the release of the new ZF05, most likely due to their hack of Dan Kaminsky’s and Kevin Mitnick’s web pages. Here’s an interesting quote:

The very concept of “penetration testing” is fundamentally flawed. The problem with it is that the penetration tester has a limited set of targets they’re allowed to attack, while a real attacker can attack anything in order to gain access to the site/box. So if a site on a shared host is being tested, just because site1.com is “secure” that does NOT in anyway mean that the server is secure, because site2.com could easily be vulnerable to all sorts of simple attacks. The time constraint is another problem. A professional pentester with a week or two to spend on a client’s network may or may not get into everything. A real dedicated hacker making the slog who spends a month of eight hour days WILL get into anything they target. You’re lucky if it even takes him that long, really.

Well, he’s obviously right, there is no point arguing with that. Given enough time, an attacker can gain access to pretty much anything. No serious and reputable security company will tell you that after their penetration test, you will be perfectly secure. However, here are a couple of reasons why I think that pentesting (or code audits, or whatever) is still relevant and useful:

  • There are no alternatives. What are you supposed to do? Put a white flag with your root password on it on your web page and surrender?
  • Even if a pentest only found a single vulnerability, the target system is still a little more secure and a script kiddy might not be able to compromise it.
  • Most attacks come from weak hackers anyway. For your average web page it’s enough to close the most obvious flaws.
  • If you’re not hacked within a couple of hours, the attacker might move on to your neighbor.

Given how many completely insecure systems exist out there, and how few of them are actually hacked, I think you’re doing pretty well if a penetration test was able to locate and remove the most obvious flaws. However, someone who really, really wants to get on your system, will. If you unplug your system, he might just get in bed with the secretary to get to your data.

Advertisement

Tags: , , ,

This entry was posted on July 31, 2009 at 10:45 pm and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “ZF05 and Pentesting”

  1. Chrent0o Says:
    August 1, 2009 at 12:02 pm | Reply

    Good read. Thanks for pointing that out.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.