Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Research on penetration testing?

from [Pete Finnigan] Network Security [Permanent Link]
Subject: Re: Research on penetration testing?
Date: Wed, 15 Dec 2004 17:41:02 +0000 
I would agree with this if you wish to follow a less technical line.

The ROSI problem (Return on Security Investment).

How to sell penetration testing and vulnerability assessment, cost 
savings and so on.

Hi,

I would agree with this idea. When I read this my thoughts went
immediately to the book "Optimizing Oracle performance" written by Cary
Millsap and Jeff Holt - Published by O'Reilly. This book, quite
obviously by the title is about tuning Oracle and not about penetration
testing - bear with me..:-) 

The book describes the new (ish) method of using the Oracle wait
interface (instrumentation in the Oracle kernel) for tuning. But the big
idea in the book is that fact that using this method the tuning effort
is repeatable and calculable in advance in terms of effort and cost
benefits. 

Cary and Jeff describe how its possible to analyse the issue and then
identify the key business processes that are a problem and finally also
identify the time saving that is possible with solutions (This is
possible because what they are doing is analysing lost time in the
processing of data - so that time is highlighted in detailed steps in
the kernel source) and hence the cost benefit to the organisation. 

This is mind blowing when you consider previous efforts were based on
trial and error. e.g. change this parameter and see if the program is
faster... no... now change it back and then try another parameter
instead... and so on.... with "method R" as described by the authors the
tuning effort is acutely focused based on cost benefit to the business
and the cost benefits of the possible solutions are known.

Now if this breakthrough in tuning could be applied to penetration
testing then the cost benefits for customers would be great. I would say
also that anyone who could offer this service would be in a commanding
position. Managers like to see costs and benefits..:-)

It is like the difference between alchemy and science. 

Whether its possible to apply these ideas to penetration testing or not
is difficult to know. Also I feel the solution would probably be
technical as well as business related. In the Oracle book, the authors
have developed perl scripts to apply the ideas and also utilize queuing
theory in the solutions. I think ideas along this line would make a
great project.

Hope this helps

Kind regards

Pete
-- 
Pete Finnigan (email:pete@petefinnigan.com)
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Class on Security Tools, Todd Towles
Next by Date:  pwdump 2 & 3, Guillaume Lavoix
Previous by Thread:  Re: Research on penetration testing?, Gareth Davies
Next by Thread:  Re: Research on penetration testing?, leonardo
Indexes:  [Date] [Thread] [Top] [All Lists]