38 of 41 people found the following review helpful
Should be called "Professional Pen Testing Project Management",
This review is from: Professional Penetration Testing: Volume 1: Creating and Learning in a Hacking Lab (Paperback)
I had fairly high hopes for Professional Penetration Testing (PPT). The book looks very well organized, and it is published in the new Syngress style that is a big improvement over previous years. Unfortunately, PPT should be called "Professional Pen Testing Project Management." The vast majority of this book is about non-technical aspects of pen testing, with the remainder being the briefest overview of a few tools and techniques. You might find this book useful if you either 1) know nothing about the field or 2) are a pen testing project manager who wants to better understand how to manage projects. Those looking for technical content would clearly enjoy a book like Professional Pen Testing for Web Applications by Andres Andreu, even though that book is 3 years older and focused on Web apps.
PPT offers 18 chapters, with 12 chapters on project management and non-technical issues, and 6 ostensibly covering technical issues. The technical material is limited to the basics of conducting reconnaissance, running Nmap, Nessus, CORE IMPACT, Ettercap, Aircrack-ng, Netcat for "maintaining access," SSH for an "encrypted tunnel," and trivial file and script changes to "cover tracks." Seriously. I'm sure some review readers are saying "sometimes it's just that easy." That's true, but we don't need a 528 page book with an outrageous price tag to read about these well-known methods. If your experience with pen testing is limited to this book, take a look at Andres Andreu's title to see the sort of material you should expect in a book on pen testing.
I didn't find the project management parts all that helpful, either. Some of it just repeats material published in various guides like the Open Source Security Testing Methodology Manual. Other sections repeat certification descriptions found on vendor Web sites. It is clear the author really cares about project management, so maybe he should have just written a book on project management for security managers?
I gave the book three stars because I didn't find the book to be technically or managerially incorrect. (If that had been the case, I would have rated it two stars.) If you want much better coverage on technical matters not found in Andreu's book, try the core Hacking Exposed titles. They address the same topics that PPT barely introduces.
Tracked by 2 customers
Sort: Oldest first | Newest first
Showing 1-2 of 2 posts in this discussion
Initial post: Jan 27, 2010 11:31:46 PM PST
Thomas Wilhelm says:
I'm sorry to hear that your expectations for the book were not met, but honestly it was never targeted at someone with your skill level and understanding of penetration testing. Perhaps if I explained why I wrote the book, it would provide some rationale for its existence.
As a university professor teaching Information System Security at the undergraduate and graduate level to students migrating into the security field, I have had numerous students interested and confused as to how to actually conduct a penetration test. These people came from multiple disciplines and backgrounds and needed a way to understand the process. This book is not intended for an audience with a strong technical background in hacking - it is intended for engineers interested in understanding the business side of penetration testing; it is intended for managers trying to understand what they might experience when confronted with an audit, and eventual pentest; it is intended for those who want to become professional penetration testers, but are either just starting out in the field, or committing to a career change from a different part of the IT world.
I believe this book fills a void in the current literature - there are many outstanding books dedicated to tools and advanced hacks, but few that can introduce novices to the field in a way that is understandable, manageable, and yet challenging. The book has an additional feature that was not addressed in your review - the DVD, which contains three LiveCDs that provide an excellent learning experience for novices and experts alike. The book walks the reader part-way through an easier LiveCD setup, but the more advanced LiveCD is definitely a challenge for all.
Again, I am sorry to hear that the book was not to your liking; I still believe that the book offers the intended audience substantial value.
In reply to an earlier post on Nov 28, 2011 2:10:07 PM PST
[Deleted by the author on Nov 28, 2011 2:19:57 PM PST]
‹ Previous 1 Next ›