[Full-disclosure] Flash that simulates virus scan
Michael Neal Vasquez
mnv at alumni.princeton.edu
Wed Oct 31 22:35:30 GMT 2007
It's valid IMO, but also depends on the client expectations. At the outset,
the parameters of what's being tested should be well outlined. Some clients
prefer purely technical measures for penetration. Others are open to a
complete (i.e. SE included) test. Obviously a better choice, but I always
had 2 goals in the complete test: A) Purely technical intrusion & B)
Intrusion via SE. Cover your bases, open their eyes.
Show them a) the need for vigilant employee training and security awareness
programs, and
b) that their infrastructure has its own stand-alone holes as well....
On 10/31/07, Valdis.Kletnieks at vt.edu <Valdis.Kletnieks at vt.edu> wrote:
>
> On Wed, 31 Oct 2007 16:56:20 CDT, reepex said:
> > resulting to se in a pen test cuz you cant break any of the actual
> machines?
>
> Lots of *actual* compromises happen the same exact way - resorting to SE.
> As such, if a pen test doesn't cover the same territory, it's incomplete.
>
> "Yes, your house is secure - we checked all the doors and they're up to
> snuff.
> We however didn't check if you'll open the door *anyhow* if the landshark
> on
> the other side says 'Landshark', leading to everybody getting eaten."
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20071031/84c3662e/attachment.html
Full-Disclosure is hosted and sponsored by Secunia.