Hi, as i am work and teach nearly everday with a lot of security testing tools to prevent crime and as the maintainer of the Fedora Security Lab http://spins.fedoraproject.org/security/ and also being a part of the ISECOM Team who develops the OSSTMM (Open Source Security Testing Methodology Manual) and therefore involved in Security Research and Methodology Development around these topic: http://www.isecom.org/team.shtml i hope that i am allowed to say/add something: Am 15.11.2010 15:15, schrieb Máirín Duffy: > Do you use SQLninja for penetration testing? Had you heard of it before? Yes - and we have this tool in the FSL wishlist since 8 month´s https://fedorahosted.org/security-spin/ticket/60 And just to clarify the FSL is not a Secure Lab (it is of course secure) - it is Security Lab and lwn wrote a much better summary about it than i could: http://lwn.net/Articles/377100/ "Having a larger parent organization like Fedora—and to some extent Red Hat—may help FSL achieve a higher-profile than BackTrack or other security distributions have in the past." the SQLninja is also listed as the Number 1 Test Tool for SQL Injections on the OWASP (Open Web Application Security Project) http://www.owasp.org/index.php/Appendix_A:_Testing_Tools#Testing_for_SQL_Injection Maybe it is interesting for you, that just doing a penetration test is missleading, because this is just about - Can i break into something or not? - This does not qualify to say, how secure or unsecure something is. Therefore organization exist to develop methodolgies and rules to find out how to do this right, like OWASP, even the German Goverment, or of course the ISECOM. And to do a test right all have a almost same approach either the Information Gathering -> SecurityScan -> Verification or the OSSTMM 4point Induction -> Inquest -> Interaction -> Intervention we need tools to do the Verification bzw. Intervention. > What penetration testing tools do you use? Almost all from https://fedorahosted.org/security-spin/wiki/availableApps Especially in the Verification/Intervention Phase i use/need tools to crack/spoof/exploit things. If you look at dsniff, ettercap or yersinia this are tools to spoof/mitm and do Layer2 Attacks which i use almost daily in my work. > Is the language they use to > explain & advertise their tools similar to that used for SQLninja? The tool is hosted on sourceforge and it is well documented that it has several test phases # 2.1 test # 2.2 fingerprint # 2.3 bruteforce # 2.4 escalation it has a clear statement on the main page that: "It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered." <- this would be the verification phase i see as a imperative step for a proper security test - to prevent crime of course based on a written contract and testplan. i do not see much differences to some examples we have in Fedora and that we should have in Fedora: http://www.foofus.net/~jmk/medusa/medusa.html http://ettercap.sourceforge.net/ http://www.yersinia.net/attacks.htm http://www.aircrack-ng.org/ http://ophcrack.sourceforge.net/ http://code.google.com/p/tcpjunk/ http://monkey.org/~dugsong/dsniff/ http://www.secdev.org/projects/scapy/ ... > How > do you find out about penetration testing tools? How many of the ones > you use are GPL? 90% if we really fight for freedom, please reconsider the policy and the decission - i ask myself why is sourceforge able to take this risk easily or the owasp project or the German Federal Office for Information Security? I understand that RedHat is bound to all this indemnification hickhack - and of course you can send me away and tell me to do my stuff outside from Fedora, but i would love to do it as a Fedora Contributor and provide this high quality Security Test Tools even if they use some childish wording sometimes to advertise it. I really look forward to my talk on FUDCon Tempe about my plans for the FSL and the OSSTMM and that we have a future in Fedora for it. cu Joerg -- Joerg (kital) Simon jsimon@xxxxxxxxxxxxxxxxx http://fedoraproject.org/wiki/JoergSimon http://kitall.blogspot.com Key Fingerprint: 3691 0989 2DCA 58A2 8D1F 2CAC C823 558E 5B5B 5688
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ advisory-board mailing list advisory-board@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/advisory-board
