IDS is dead...no I mean pen-testing is dead...
[Check out http://carnal0wnage.attackresearch.com/node/440]
What does it mean when a person makes the assertion that something 'is dead'? This conversation comes up over and over again and, although posted back in December of 2010, this article is a great example of the 'is dead' phenomenon.
We all know what this guy is talking about because we see it firsthand in our customers. The traditional pen-testing like 'Sneakers' (1992 film) does not scale in terms of time or space, so evolution brings us automation with any domain. While he is at it, the blogger might also mention that, for the most part, these are dead too:
- Bank Tellers
- Grocery Line Cashiers
- Postal Mail
- Business Cards
- Butcher Shops
While things do die, most services that provide value find a way to continue to add value and persist.
In all seriousness, what is important here is not manual versus automation but domain expert versus non-domain expert, in other words the evolution of a craft or function. This is the techno-social feedback loop that propels us forward, and technology/process/people around this function, called penetration testing, is evolving. We go from 'absolutely perfect' to 'good enough:' we go from hundreds of experts to millions of semi-experts: we go from huge precise vocabulary of terms to a small set of general terms; etc.
Let me be the first to make the assertion that 'Is dead' is dead!
