I made a note a couple of weeks back to talk about this subject here when I got a chance. Well that time has arrived. I saw a post on the pen-test list on security focus titled "Research on penetration testing?" where the poster told us that he had the chance to take a masters degree in Norway and was looking for research ideas in the area of penetration testing, unanswered questions, areas that should be researched further academically or ideas that would be of public interest.
A few posters suggested ideas, the complete thread index is available here. One poster suggested looking at the business aspects of costing and benefit to the customer of penetration testing. I thought that this was a great idea. I added a detailed post with my thoughts at the time. I will repeat my ideas here as posted:
"I would agree with this idea. When I read this my thoughts went
immediately to the book "Optimizing Oracle performance" written by Cary
Millsap and Jeff Holt - Published by O'Reilly. This book, quite
obviously by the title is about tuning Oracle and not about penetration
testing - bear with me..:-)
The book describes the new (ish) method of using the Oracle wait
interface (instrumentation in the Oracle kernel) for tuning. But the big
idea in the book is that fact that using this method the tuning effort
is repeatable and calculable in advance in terms of effort and cost
benefits.
Cary and Jeff describe how its possible to analyse the issue and then
identify the key business processes that are a problem and finally also
identify the time saving that is possible with solutions (This is
possible because what they are doing is analysing lost time in the
processing of data - so that time is highlighted in detailed steps in
the kernel source) and hence the cost benefit to the organisation.
This is mind blowing when you consider previous efforts were based on
trial and error. e.g. change this parameter and see if the program is
faster... no... now change it back and then try another parameter
instead... and so on.... with "method R" as described by the authors the
tuning effort is acutely focused based on cost benefit to the business
and the cost benefits of the possible solutions are known.
Now if this breakthrough in tuning could be applied to penetration
testing then the cost benefits for customers would be great. I would say
also that anyone who could offer this service would be in a commanding
position. Managers like to see costs and benefits..:-)
It is like the difference between alchemy and science.
Whether its possible to apply these ideas to penetration testing or not
is difficult to know. Also I feel the solution would probably be
technical as well as business related. In the Oracle book, the authors
have developed perl scripts to apply the ideas and also utilize queuing
theory in the solutions. I think ideas along this line would make a
great project.
Hope this helps"
I think this is a very good point in relation to general penetration testing. How would you define the cost benefits of a penetration test and how does that relate to an audit of to internally running a commercial or free tool?
Blog
Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
[Previous entry: "Great tool for security checking a PC"] [Next entry: "HTML Kit"]
January 2005
- Oracle security and content management - 01/01/2005 by 01/01/2005
- Some updates to the Oracle default password list - 01/02/2005 by 01/02/2005
- Nice article on SQL Injection - 01/03/2005 by 01/03/2005
- Frank has a review of Bruce Schneier book "Beyond Fear" - 01/04/2005 by 01/04/2005
- We have moved - 01/05/2005 by 01/05/2005
- Schema difference tool - 01/07/2005 by 01/07/2005
- CREATE SCHEMA - does it do what it says on the tin? - 01/08/2005 by 01/08/2005
- Becoming another user - 01/09/2005 by 01/09/2005
- A nice simple DBMS_OBFUSCATION_TOOLKIT example by Nimzo Benoni - 01/10/2005 by 01/10/2005
- Howard Rogers has a good article about database links - 01/11/2005 by 01/11/2005
- Amis blog has an entry all about OpenVPN - 01/12/2005 by 01/12/2005
- Sarbanes Oxley and Oracle - 01/13/2005 by 01/13/2005
- Adam Martins Oracle password cracker seems to not be available - 01/14/2005 by 01/14/2005
- Great tool for security checking a PC - 01/15/2005 by 01/15/2005
- Penetration testing research and cost effective security - 01/16/2005 by 01/16/2005
- HTML Kit - 01/17/2005 by 01/17/2005
- Security alert released by Pete Finnigan - 01/18/2005 by 01/18/2005
- Alexander Kornbrust has an advisory for CPU - January 2005 - 01/19/2005 by 01/19/2005
- Search Oracle talks about the Critical Patch Update - 01/20/2005 by 01/20/2005
- Translation of www.Heise.de German news article - 01/21/2005 by 01/21/2005
- oops missed off the link - 01/22/2005 by 01/22/2005
- Steve Kost has released an Integrigy advisory for CPU - January 2005 - 01/23/2005 by 01/23/2005
- Tom talks about proxy users - 01/24/2005 by 01/24/2005
- Updated internals and Oracle applications security page - 01/25/2005 by 01/25/2005
- default passwords and Oracle default passwords - 01/26/2005 by 01/26/2005
- Frank has a great blog entry about web application security - 01/27/2005 by 01/27/2005
- Interesting thread on Oracle-l about ftp'ing data into the database - 01/28/2005 by 01/28/2005
- Some interesting comments about CPU - Jan 2005 on c.d.o.s - 01/29/2005 by 01/29/2005
- Andrej Koelewijn talks about google stopping comment spam - 01/30/2005 by 01/30/2005
- Happy birthday to orablogs.com - 01/31/2005 by 01/31/2005
Archives
Syndication
Powered by gm-rss 2.0.0
