You can inspect other people's code and find bugs, sometimes you can fix the bugs yourself or you can even code your own software that matches your own security standards.
CORE IMPACT : The penetration testing solution
Next in my favorites list. It never ceases to amaze me the amount of knowledge and security expertise poured into this product - and yet it is usable by any regular guy. Besides all the commercial justifications for a product like this - which I shouldn't be so blatantly promoting :), it gives me a great tool to learn and try new things and ideas that otherwise I would not have had the time to do.
Snort : The network Intrusion Detection System
The closest to perfection in the network IDS space. Given the dedication and unselfish attitude of the snort development team, it is no surprise that they have been able to develop such a high quality tool that can accurately detect when you are under attack. This is not a minor achievement.
Although I believe that no NIDS will ever accurately detect ALL attacks, not even all the ones that exploit known vulnerabilities, I also know that Snort closes the gap between noticed and unnoticed attacks more quickly than any other option. Also, it is free, open-source and has a vast legion of paranoid security fanatics improving it constantly.
PF : OpenBSD's packet filtering firewall
It is compact, efficient, feature rich, and yet secure. That is an accomplishment for firewall technology.
Nmap : The network swiss knife, err mapper
It is always useful and comes in handy for a wide array of uses.
Your company often releases security advisories. Is the exposure you are receiving as a direct result of the disclosed vulnerabilities, a good "marketing" tool for your products and services?
I think the best marketing tool we have is to demonstrate our security expertise, technical capabilities and the professionalism that everybody at Core possesses. Publishing advisories is a way of showing this, but it does not necessarily translate into direct marketing for our products and services. To disclose vulnerabilities just for the sake of gaining exposure no matter what is not our game. Our goal is to try and provide some benefit to the security community, to help them understand the vulnerabilities and their risk, and to fix them either with what their vendors give them or with their own workarounds. If the reader of our advisories is happy with our free work they would probably consider us for the paid stuff :)
In your opinion, how important is penetration testing?
Penetration testing is an underrated practice. If used wisely it can provide instant results that improve one's security posture in a tangible way. Many organizations are starting to share this belief and we see that happening everyday with new standards and regulations increasingly talking about pen-testing. To further this belief we also see growing interest from all kind of organizations: Fortune 1000 companies, government, military, security consulting boutiques, IT consultants
and even mid-size and small companies.
Like everything else in the infosecurity space, pen-testing is not a silver bullet, but it is really the best way to address the security problem from the viewpoint of the attacker. And that is a requirement if you are serious about your security.
What is your take on the automated vulnerability assessment services?