Re: [Full-disclosure] Flash that simulates virus scan

It's valid IMO, but also depends on the client expectations.  At the outset,
the parameters of what's being tested should be well outlined.  Some clients
prefer purely technical measures for penetration.  Others are open to a
complete (i.e. SE included) test.  Obviously a better choice, but I always
had 2 goals in the complete test: A) Purely technical intrusion & B)
Intrusion via SE.  Cover your bases, open their eyes.

Show them a) the need for vigilant employee training and security awareness
programs, and
b) that their infrastructure has its own stand-alone holes as well....




On 10/31/07, Valdis.Kletnieks@vt.edu <Valdis.Kletnieks@vt.edu> wrote:
> On Wed, 31 Oct 2007 16:56:20 CDT, reepex said:
> > resulting to se in a pen test cuz you cant break any of the actual
> machines?
>
> Lots of *actual* compromises happen the same exact way - resorting to SE.
> As such, if a pen test doesn't cover the same territory, it's incomplete.
>
> "Yes, your house is secure - we checked all the doors and they're up to
> snuff.
> We however didn't check if you'll open the door *anyhow* if the landshark
> on
> the other side says 'Landshark', leading to everybody getting eaten."
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/