It seems that debate over the automatic tools vs. manual penetration tools raises serious questions within the government agencies.South Carolina and Delaware already use Core Impact, other might follow:

Let’s assume you’ve signed off on a decision to run penetration tests because you want to know how vulnerable your agency is to outside attacks. Now what? Should your agency hire a consultant? Buy automated software to perform the tests? Both?

Answering 10 questions can help you decide whether hiring a consultant or buying software is the right answer.

1. What is your risk tolerance for information technology security threats?
2. Does your agency perform critical functions or have stewardship of critical or sensitive data? How serious are the implications of disrupted service or lost or compromised data?
3. Do you know how well your software patching system is working?
4. Do you have the in-house expertise necessary to run and interpret automated tests?
5. Have you determined a baseline of IT security?
6. Are you required to have a third-party assessor review your IT security?
7. Does your agency have a robust presence on the Web?
8. Does your agency primarily use custom applications or does it mostly use commercial software?
9. How frequently do you want to test your system and network vulnerability?
10. What level of spending can your budget support?

Federal Computer Week magazine has the full story

Nick Baskett wrote an interesting article in it-observer about best practices when hiring an external penetration testing consultant. I hope that more and more business decision makers will apply his advices :

Finally, remember that companies don’t perform penetration tests, people do. So no matter which company you go to, it always boils down to the person you have working on your account. Make sure you always have the best people for the job in place, and remember that the best person for one job, may not be the best for another. Understanding the strengths and weaknesses of your team is a fundamental part of good management.

Anurag Agarwal released the second article from the series of mini biographies called Reflection which so far presented Amit Klein ; this week’s security superstar was RSnake.Next Reflection will feature Jeremiah Grossman . Anurag nicely presents a short bio of RSnake and also his great contribution to Web Application Security.

If there is any mention of XSS, there is a big chance RSnake’s name or its cheat sheet is mentioned along with it. His contribution in the web application security awareness is legendary. On two of his many web sites (http://ha.ckers.org and http://sla.ckers.org ) you will find a wealth of information on various aspects of webappsec. His XSS cheat sheet is arguably the most referenced link in the webappsec space.

Full article : Reflection on RSnake

Techworld has a story about the ongoing conflict between Stefan Esser, founder of PHP Security Response Team (which he recently left) and his former colleagues which are accused of being careless, if not …security incompetent.

It seems that Esser’s initiative to disclose one PHP vulnerability each day during March 2007 is unpopular among core PHP developers, especially for Zeev Suraski, co-creator of PHP and chief technology officer of Zend, which manages PHP development.

I’m a strong believer in full disclosure and I really hope that Stefan’s security disclosures will benefit all of the Web Sec community .

I will keep a close eye on Stefan’s blog during March because you never know what bug the next day will unveil. Or maybe you know So, what do you think : should all these security vulnerabilities be disclosed or not ? (btw, PHP 5.2.1 fixed some, if not all of these vulnerabilities)