Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Penetration Testing
Re: Research on penetration testing? Dec 13 2004 05:56PM
H Carvey (keydet89 yahoo com) (1 replies)
RE: Research on penetration testing? Dec 13 2004 06:56PM
Rishi Pande (rpande vt edu) (2 replies)
Re: Research on penetration testing? Dec 15 2004 09:18PM
leonardo (billtorvalds1 yahoo it) (1 replies)
Re: Research on penetration testing? Dec 16 2004 07:28PM
SecurIT Informatique Inc. (securit iquebec com) (1 replies)
RE: [in] Re: Research on penetration testing? Dec 19 2004 09:48PM
Curt Purdy (purdy tecman com)
Re: Research on penetration testing? Dec 14 2004 06:11AM
Gareth Davies (gareth davies mynetsec com) (1 replies)
Re: Research on penetration testing? Dec 15 2004 05:41PM
Pete Finnigan (plsql petefinnigan com)
>I would agree with this if you wish to follow a less technical line.
>
>The ROSI problem (Return on Security Investment).
>
>How to sell penetration testing and vulnerability assessment, cost
>savings and so on.
Hi,

I would agree with this idea. When I read this my thoughts went
immediately to the book "Optimizing Oracle performance" written by Cary
Millsap and Jeff Holt - Published by O'Reilly. This book, quite
obviously by the title is about tuning Oracle and not about penetration
testing - bear with me..:-)

The book describes the new (ish) method of using the Oracle wait
interface (instrumentation in the Oracle kernel) for tuning. But the big
idea in the book is that fact that using this method the tuning effort
is repeatable and calculable in advance in terms of effort and cost
benefits.

Cary and Jeff describe how its possible to analyse the issue and then
identify the key business processes that are a problem and finally also
identify the time saving that is possible with solutions (This is
possible because what they are doing is analysing lost time in the
processing of data - so that time is highlighted in detailed steps in
the kernel source) and hence the cost benefit to the organisation.

This is mind blowing when you consider previous efforts were based on
trial and error. e.g. change this parameter and see if the program is
faster... no... now change it back and then try another parameter
instead... and so on.... with "method R" as described by the authors the
tuning effort is acutely focused based on cost benefit to the business
and the cost benefits of the possible solutions are known.

Now if this breakthrough in tuning could be applied to penetration
testing then the cost benefits for customers would be great. I would say
also that anyone who could offer this service would be in a commanding
position. Managers like to see costs and benefits..:-)

It is like the difference between alchemy and science.

Whether its possible to apply these ideas to penetration testing or not
is difficult to know. Also I feel the solution would probably be
technical as well as business related. In the Oracle book, the authors
have developed perl scripts to apply the ideas and also utilize queuing
theory in the solutions. I think ideas along this line would make a
great project.

Hope this helps

Kind regards

Pete
--
Pete Finnigan (email:pete (at) petefinnigan (dot) com [email concealed])
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.

[ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus