Conversation
buherator
buherator
This is a pretty good summary of #pentest as a profession:
https://www.reddit.com/r/Pentesting/comments/1ixoq2g/pentesting_is_the_hardest_cybersecurity/
(I don't think comparisons to other fields makes much sense though)
https://www.reddit.com/r/Pentesting/comments/1ixoq2g/pentesting_is_the_hardest_cybersecurity/
(I don't think comparisons to other fields makes much sense though)
1
0
2
Frederik Braun �
freddy@security.plumbing@buherator The nagging feeling if "having missed a bug" described here is totally self inflicted and totally misaligned with incentives for someone working in offense now? You get asked to show a couple of glorious bugs and nobody expects you to be 100% exhaustive.
Isn’t this feeling more likely to be associated with defense work, where you a absolutely have to find everything?
1
0
0
buherator
buherator
@freddy IME a consultants (incl pentesters) are hired in large part to outsource responsibility. We all know testing can't be perfect, but if there was a test and still there was an exploited bug, you have a scapegoat.
Example: you discover 10 SQLi's, which is a lot. Dev fixes all of them bit doesn't go any further in root cause analysis. When the 11th SQLi gets exploited it will be the pentesters fault that it was not in the report, because a) people think in checkbox lists b) doing proper analysis is expensive c) the consultant is not "one of us" ...
Example: you discover 10 SQLi's, which is a lot. Dev fixes all of them bit doesn't go any further in root cause analysis. When the 11th SQLi gets exploited it will be the pentesters fault that it was not in the report, because a) people think in checkbox lists b) doing proper analysis is expensive c) the consultant is not "one of us" ...
0
0
0