Wednesday, April 28, 2010

Book Review: Professional Penetration Testing

I recently read this book because I was looking to modernise my home penetration testing lab and being blunt, I haven't done a hands on role for awhile and missed it. So I wanted to familiarise myself with current trends/approachs and get back into it. I was particularly curious to see what this book had to promise me in that regard. I had seen the De-ICE disks harped on in Hackin9 magazine and thought "what the hell".

Firstly, I must add that this book was a serious disappointment to me - but I feel that this was more due to the misleading title.

Whilst it would be unfair to say it is useless to everyone, I must say I found it largely useless to me. Perhaps this could be that in my background I've conducted pentests, I've overseen pentests and I've acted as a security lead on multiple projects, including large scale e-commerce projects with multiple pentesters over multiple rounds of testing. So while my work has been hands off for some time, this is certainly familiar territory.

If you are anything like me, have pentesting experience or been doing pentesting for some time - please do yourself a favor and avoid this book. It is not technical AT ALL, it will offer you everything from career advice, to certification advice, to methodology advice, etc. Just about anything BUT setting up a home pentesting lab. Infact, the bulk of the book can be summed up as "Just install my De-ICE disks, read my forums, do my courses and away you go!".

On the other hand, if you have ZERO penetration testing experience (or perhaps are a black hat looking to go legit or a university graduate with minimal work experience) you could probably benefit from this book for the reasons stated above. This book discusses a lot of hte benefits of penetration testing within a corporate environment, how/why/where you apply methodologies (and the pros and cons of each), complementary skills and so on. In that regard, it is quite beneficial. But do not make any mistake - this book will NOT teach you how to set up a pentest lab. Moreover, even if you are a beginning penetration tester, I can think of far, far better textbooks for a novice (the OWASP Testing Guide for starters, which is free too).

No such review would be complete without some complementary feedback. So I will say that I found zero grammatical/spelling errors (that's not saying there are any - only I detected none). I did like how each chapter had review questions or "mini assignments" that required you to go off and do additional investigation to learn what the author was trying to convey and that such information cannot be gleaned from this book alone. That I thought was a good strategy at trying to get the reader to learn beyond the scope of the book.

However, we must refer back to the title. Do I feel that this book taught me how to establish my own pentesting lab? No, absolutely not. The title is horribly misleading and should be renamed "Professional Penetration Testing: A career from Black Hat to Ethical Hacker". I'm sure that the author is very techincally capable and was well intentioned in writing this book. Which is why I would suggest that my title is far more appropriate. But this is not a technical book and does the reader an injustice by advertising it as such.

My inadequate score is for the poor choice of title and despite the grammar and spelling seeming solid, there is the fact I feel very dirty after reading it.

Rating: 3/10 (*6/10 for those new to penetration testing as a career path).

- J.


max kilger said...

I read the comment about my talk and I agree that I should have jammed more cites into the talk - I would suggest not bad science just slacked on providing all the references. The numbers for the jargon file research come from two studies I did - one in 2002 and the other in 2009. Some of the data for the 1994 jargon file figures appears in the Profiling chapter of Know Your Enemy, 2nd edition (2004, book author - Honeynet Project) while some of the 2003 jargon file data can be found in a forthcoming chapter “Social Dynamics and the Future of Technology-Driven Crime”, in Corporate Hacking and Technology-Driven Crime, Holt, T. and Schell, B. eds., forthcoming.

Hope that this helps...


max kilger

Drawing classes melbourne said...

Thank you for sharing a useful post with us!