On Sat, 07 Jan 2012 17:37:44 CST, Laurelai said: > Because they pay the kids to own them in a safe manner to show that It's not as simple as all that. A good pen-tester needs more skills than just how to pwn a server. You need some business smarts, and you need to be *very* careful about writing the rules of engagement (some pen tests that involve physical attacks can literally get you shot at if you screw this part up), and then *sticking with them* (you find a major social engineering problem while doing a black-box test of some front-end servers, you better re-negotiate those rules of engagement before you do anything else). Also, once a pen test starts, you can't take your time and poke it with the 3 or 4 types of attacks that you're good at - you have 3 weeks starting at 8AM Monday to hit it with 37 different classes of attacks they're likely to see and another 61 types of attacks they're not likely to see and aren't expecting. And be prepared to work any one of those 94 from "looks like might be an issue" to something you can put in a report and say "You Have A Problem". Almost no company is stupid enough to hire a pen testing team without that team posting a good-sized performance bond in case of a screw-up taking out a server, or a rogue pentester stealing the data. (ESPECIALLY in this case, you *already* caught them stealing the data once :) And the kids are going to land a $1M performance bond, how? (Hint - think this through. Really good pentesters make *really* good bucks. If those kiddies had what it took to be good pentesters, they'd already be making bucks as pentesters, not as kiddies) > their so called expertsd are full of shit, then they fire said experts > and hire competent people saving time money and resources, try and Doesn't scale, because there's not enough competent people out there. There's 140 million .coms, there aren't 140 million security experts out there. It's not a new idea - I've heard it every year or two since probably before most of the people on this list were born. The fact that almost no companies actually *do* it, and that those hackers who have successfully crossed over to consulting are rare enough that you can name most of them, should tell you something about how well it ends up working in practice.
Attachment:
pgp9dSrPxhfR6.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/