Hi all,
Do you think that an external infrastructure pentest is nowadays obsolete?
What I want to say is that, most of the serious companies nowadays will only
have a few servers on their DMZ (web server, mail server, SSL concentrator,
terminal server, citrix) and will only allow access to one or two ports for
each of them. The rest of the infrastructure (excluding the internet facing
router and firewall) will be completely inaccessible.
Thus, if web application testing is out of scope, there isn?t much to test, is
it? Only half a dozen of services to check vulnerabilities and
misconfiguration, check if mail rely is on, make a password bruteforce
attack(?), check that the DNS can?t be poison and VOILA! You have finished!
Do you think that it is ethical to consult our clients to ?buy? an external
pentest anymore?
P.S. If I am wrong, PLEASE prove me wrong!
--
Ioannis Koukouras
CISSP
MSc in Computer Systems Security
BEng in Electronic Engineering
http://www.linkedin.com/in/ikoukouras
=
Cruise Value Center - Mexico Cruises
Cruise Value Center is one of America's leading discount brokers on Mexican
cruises. Let our experts help you choose the cruise vacation package that will
meet your budget and lifestyle.
http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=83149e4a674877039cb5c210b2445439
--
Powered by Outblaze
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
|