[fuzzing] Hey all
nnp
version5 at gmail.com
Sat Mar 15 10:58:02 CDT 2008
On Sat, Mar 15, 2008 at 8:56 AM, Ari Takanen <ari.takanen at codenomicon.com>
wrote:
> --snip--
>
> If I am reviewing a VA services company that claims to do fuzzing, I
> check out which tools they can use, and how well they use them. If
> they build custom one-off fuzzers, or only use one or two open source
> fuzzers, I recommend our customers to stay away from them.
> Unfortunately there are very few good VA companies out there...
>
> I would be happy to argue about the criterias on how to define the
> profile for a good security analyst if you do not agree with me. ;)
>
> /Ari
>
> --snip--
In some cases I think one-off or at the very least custom built fuzzers
would be a definite bonus. Bespoke in-house protocols, previously un-fuzzed
protocols etc. I would be much more willing to go with a company that has a
history of providing thorough testing and results but doesn't have a
particular test set for the desired protocol than a company that has 8
million different protocol test suites non of which have been sufficiently
tested out.
*I'm going to assume the anti one off fuzzers stance has nothing to do with
you working for a company that sells 'fuzzing-in-a-box' solutions
-nnp
--
http://www.smashthestack.org
http://www.unprotectedhex.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.whitestar.linuxbox.org/pipermail/fuzzing/attachments/20080315/438174f5/attachment.htm
More information about the fuzzing
mailing list