Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Programming skills for Pen Testers

from [Craig Wright] Network Security [Permanent Link]
Subject: RE: Programming skills for Pen Testers
Date: Mon, 13 Feb 2006 09:45:56 +1100 

Hello
First just to get this in C programming is a good skill. C++ is also not
bad to have. This said, what the hell is this doing in a pen test
discussion.

/*
**      start rant
*/

How can anyone here honestly state that programming skills are needed
for pen testing? An audit of source code is NOT a pen test. This does
require coding skills - they are not the same thing and anyone who
thinks they are is under a delusion.

Are we talking "Vulnerability Research' or Pen. Tests? Do we all
understand that they are NOT the same thing?

If a business/organisation/etc is paying you for 20 hours of applied
testing - I certainly hope that you are not going off on some ill
conceived tangent and effectively taking their money without doing the
service you have been commissioned for?

Thomas is correct "Time is money - your customers money" - Do not forget
this!

Welcome to reality. There ARE time constraints. You are not paid to
research every possible theoretical vulnerability or find a new buffer
overflow in a Pen Test!

No wonder businesses do not trust information security. No wonder the
profession is not being taken as seriously as it should be.

/*
**      Rant complete
*/


Regards
Craig



-----Original Message-----
From: thomas springer [mailto:tuevsec@gmx.net]
Sent: 11 February 2006 3:30
To: johnny Mnemonic
Cc: pen-test@securityfocus.com
Subject: Re: Programming skills for Pen Testers

johnny Mnemonic wrote:


ok we all know that in addition to good network, host and application
security skills, programming in C is a pre-requisite for a decent pen
tester or at least one who wants to write their own security tools or
simply audit the open source code they use. My question is, despite
their similarities should a pen tester be concentrating on C or C++ ?
That's it!


Time is money - your customers money. Most of my pentest-programming is
quick and dirty and has to be highly adoptable - therefore it is usually
done in high-level-languages like perl, python, vbscript, even nessus'
nasl-language using external tools (hping etc) where applicable.
i won't even think of doing object-oriented c++-programming for a
pentest.

things get different if you think of creating a "big" product like
nessus or iss-scanner - but if you code stuff like this you are probably
more a coder than a pentester... :)

tom


------------------------------------------------------------------------
------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on
your website. Up to 75% of cyber attacks are launched on shopping carts,
forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
servers are futile against web application hacking. Check your website
for vulnerabilities to SQL injection, Cross site scripting and other web
attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
-------


Liability limited by a scheme approved under Professional Standards Legislation 
in respect of matters arising within those States and Territories of Australia 
where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If 
you are not the intended recipient, you must not use or disclose the 
information. If you have received this email in error, please inform us 
promptly by reply email or by telephoning +61 2 9286 5555. Please delete the 
email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may 
not rely on this message as advice unless it has been electronically signed by 
a Partner of BDO or it is subsequently confirmed by letter or fax signed by a 
Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments 
due to viruses, interference, interception, corruption or unauthorised access.

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Qualys, Christoph Puppe
Next by Date:  Reason 0.3.0 Nessus Client (now with Password Mgmt.), jszatmary
Previous by Thread:  RE: Programming skills for Pen Testers, jeremiah
Next by Thread:  RE: Programming skills for Pen Testers, johnny Mnemonic
Indexes:  [Date] [Thread] [Top] [All Lists]