December 03, 2008
Industry Innovators: Analysis and Testing

Penetration testing: Core Security

Penetration testing: Core Security
Penetration testing: Core Security

I just love these folks. Take the best open source pen testing tool you can think of, put it on steroids, give it a user interface that makes it simple and fast to pen test in a production environ­ment without losing the granularity of manual testing if you need it, and you have Core Impact. Well, almost. Every year I say that I am going to find a better tool, and I actually do comb the market – unsuccessfully.

It's not just that Core Security has a very complete script library – everyone has that or, at least, claims to. It's how they implement it. I had an interesting discussion about that with one of my students at the university recently. His position was that he would rather write and use his own tools than use a “canned” tool, such as Core Impact.

He's not alone. There are a lot of engineers who feel that way, until they need to make production deadlines in operational systems. The workloads of most security engineers preclude the use of the types of tools we write for ourselves. There are never-ending challenges for the information security and IT departments in most organizations. Periodic pen testing is just one of them.

What I really like about Core Impact is that it is the tool I would write for myself if I had time. It is that and then some. Moreover, there is a whole team of engineers and researchers at Core developing new test scripts. What does it take to come up with this type of tool? (And, by the way, that includes Core Essentials, its little sister, a fully automated scanner version that does its job with just a few mouse clicks.) It takes solid commitment to one of my primary principles: Don't think outside the box. Rather, refuse to admit that the box exists in the first place.

I've been watching Core since they started up, and they are innovators because innovation is their company personality. It seems a bit strange to say that they are innovators because they are innovators, but that circular argument certainly applies here.

What's in store the next 12 to 18 months at Core? They are doing more with wireless testing, more application testing and working on testing vulnerabilities specific to particular vertical markets.

From the December 2008 Issue of SCMagazine »
Similar Articles
Related Topics
close

Next Article in Features

More in Features

Behind the scenes: Privacy and data-mining

Behind the scenes: Privacy and data-mining

With data-mining firms harvesting personal information from online activity, privacy advocates, if not yet consumers, are alarmed, reports James Hale.

The great divide: Reforming the CFAA

The great divide: Reforming the CFAA

Aaron Swartz's death inspired Rep. Zoe Lofgren to want to reform the federal anti-hacking law, but some security pros worry this would sterilize a potent enforcement weapon, reports Dan Kaplan.

Suspect everything: Advanced threats in the network

Suspect everything: Advanced threats in the network

Are there ways to catch sophisticated malware that hides in trusted processes and services? Deb Radcliff finds out.