tag:blogger.com,1999:blog-13756280.post1373830494622659656..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Some unanswered questionsJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-13756280.post-45270665610202838302008-07-09T04:26:00.000-07:002008-07-09T04:26:00.000-07:00Wow, it's a great idea.Imagine a pentester's train...Wow, it's a great idea.<BR/>Imagine a pentester's training server which calculates tests coverage and sums the results.<BR/><BR/>That's much more funny than those "choose a variant" tests.<BR/><BR/>That kind of a server must be quite intelligent itself, though.Alexander Berezhnoyhttps://www.blogger.com/profile/13867899886188396572noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-41725298934316695092008-07-08T17:44:00.000-07:002008-07-08T17:44:00.000-07:00@jeremiah: Dear Pentester, our results show that y...@jeremiah: Dear Pentester, our results show that you have an IQ of approximately 120. You have perhaps attended SANS 538 and you appear to be following the OWASP Testing Guide process with about 80% accuracy.Christian "@xntrik" Frichothttps://www.blogger.com/profile/10391255646967473669noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-16955758744861361412008-07-08T16:30:00.000-07:002008-07-08T16:30:00.000-07:00HAH. I'm thinking it would be classic if at the en...HAH. I'm thinking it would be classic if at the end the website generated a report on your intelligence. :)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-22247221795304941352008-07-08T16:27:00.000-07:002008-07-08T16:27:00.000-07:00@jeremiah Okay. Are you trying to scare me? I have...@jeremiah Okay. Are you trying to scare me? I haven't even had my morning coffee yet.Christian "@xntrik" Frichothttps://www.blogger.com/profile/10391255646967473669noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-50888267627896392292008-07-08T16:25:00.000-07:002008-07-08T16:25:00.000-07:00Its kinda funny. You think you are testing a websi...Its kinda funny. You think you are testing a website, but at the same time its testing you as well.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-28914712745550133312008-07-08T16:22:00.000-07:002008-07-08T16:22:00.000-07:00I like and agree with what Arshan was saying with ...I like and agree with what Arshan was saying with regard to what manual testing reflects.Christian "@xntrik" Frichothttps://www.blogger.com/profile/10391255646967473669noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-14502634576092485242008-07-08T12:05:00.000-07:002008-07-08T12:05:00.000-07:00"anthropomorphize" word of the day? :) I had to go..."anthropomorphize" word of the day? :) I had to go look it up. ahahah.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-59461666199985661322008-07-08T11:17:00.000-07:002008-07-08T11:17:00.000-07:004) You can't really anthropomorphize the tools in ...4) You can't really anthropomorphize the tools in this space. Although they've got some facets of "learning", the constructs are essentially static.<BR/><BR/>For the record, I think manual testing reflects 4 things (in no particular order):<BR/>1) tester's intelligence<BR/>2) tester's creativity<BR/>3) tester's training<BR/>4) tester's processArshan Dabirsiaghihttps://www.blogger.com/profile/17228728745073712711noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-76303603117609661192008-07-07T21:11:00.000-07:002008-07-07T21:11:00.000-07:002) I agree that if you only encrypt the authentica...2) I agree that if you only encrypt the authentication channel but leave all other channels unencrypted, especially those containing sensitive data, that you haven't thoroughly addressed the risk. You have mitigated _some_ of the weaknesses though, but not enough (imho).<BR/><BR/>4) Is the effectiveness of an automated tool really a test of it's intelligence? Can any tool really be intelligent? I'm of the belief that a tool in the hand of an unintelligent person*, regardless of how good the tool is, will still prove to be ineffective.<BR/><BR/>*nb: unintelligent person doesn't mean low IQ or anything. That could mean anything, including someone who is rushing to meet deadlines for example.Christian "@xntrik" Frichothttps://www.blogger.com/profile/10391255646967473669noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-77560067648523579592008-07-07T10:15:00.000-07:002008-07-07T10:15:00.000-07:00Oh and we're looking for volunteers to help with a...Oh and we're looking for volunteers to help with authoring sections and peer review. Please email robert_@_webappsec.org (without the _'s) with the subject 'I would like to contribute towards the TCv2' as the subject.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-48946052519243861942008-07-07T09:48:00.000-07:002008-07-07T09:48:00.000-07:00The TCv2 will be done when it is ready and not any...The TCv2 will be done when it is ready and not any sooner :)Anonymousnoreply@blogger.com