[Techtalk] server pen testing

[Eeva Järvinen]

2011/8/9 Walt <pippin at fred.net>:
> I seem to remember at least a couple of the Chix had
> made security and pen-testing a bit of a specialty. Am I
> right? Would anyone be interested in tackling this? And
> yes, it would be for pay, though right now we're trying to
> establish how much this would cost.

I'm not volunteering to do it (and I'm also probably good enough to do
really serious testing), but as I've done that kind of stuff (for pay,
white-hat stuff) and bought such services, I'd hazard a guess you're
looking at a cost couple of thousand of euros if you want some serious
pen-testing. You'll want nice, good NDAs covering the process plus
appropriate releases from companies and people involved - as in, if
the pen-tester damages the server by giving it a serious go, who'll
pay for the damages, for both perhaps operational and and hw/sw stuff
and so on.

The other thing is to decide what to look for - usually it's the human
side that's the weakest: you can usually talk yourself into almost
anything and everything given enough time (say, HBGary - it was a
classic case of crackers talking their way in), and the potential for
damage is often far higher, but more often than not people aren't very
willing to test that, preferring just testing the sw/hw side of
things. Not that it's not important, and effective, too - but you need
to know what you're looking for. Simply asking someone to pen-test a
server doesn't mean much, unless you're looking for an all-out test,
which would mean having a go at the server by any and all means
possible - but it's not that many servers that need that kind of
security, and I guess you wouldn't be asking this on such a public
channel if the server was to be secured against anything and
everything. You need to plan the testing in order to benefit from it
as much as you can.


hth,
Eeva