Interview with Ivan Arce, CTO of Core Security Technologies
by Berislav Kucan - Thursday, 29 May 2003
Simple, elegant, clearly conceived and implemented code with cleaver techniques is generally also secure code. A simple file editor and enough time on your hands is the best security tool in existence.

You can inspect other people's code and find bugs, sometimes you can fix the bugs yourself or you can even code your own software that matches your own security standards.

CORE IMPACT : The penetration testing solution

Next in my favorites list. It never ceases to amaze me the amount of knowledge and security expertise poured into this product - and yet it is usable by any regular guy. Besides all the commercial justifications for a product like this - which I shouldn't be so blatantly promoting :), it gives me a great tool to learn and try new things and ideas that otherwise I would not have had the time to do.

Snort : The network Intrusion Detection System

The closest to perfection in the network IDS space. Given the dedication and unselfish attitude of the snort development team, it is no surprise that they have been able to develop such a high quality tool that can accurately detect when you are under attack. This is not a minor achievement.

Although I believe that no NIDS will ever accurately detect ALL attacks, not even all the ones that exploit known vulnerabilities, I also know that Snort closes the gap between noticed and unnoticed attacks more quickly than any other option. Also, it is free, open-source and has a vast legion of paranoid security fanatics improving it constantly.

PF : OpenBSD's packet filtering firewall

It is compact, efficient, feature rich, and yet secure. That is an accomplishment for firewall technology.

Nmap : The network swiss knife, err mapper

It is always useful and comes in handy for a wide array of uses.

Your company often releases security advisories. Is the exposure you are receiving as a direct result of the disclosed vulnerabilities, a good "marketing" tool for your products and services?

I think the best marketing tool we have is to demonstrate our security expertise, technical capabilities and the professionalism that everybody at Core possesses. Publishing advisories is a way of showing this, but it does not necessarily translate into direct marketing for our products and services. To disclose vulnerabilities just for the sake of gaining exposure no matter what is not our game. Our goal is to try and provide some benefit to the security community, to help them understand the vulnerabilities and their risk, and to fix them either with what their vendors give them or with their own workarounds. If the reader of our advisories is happy with our free work they would probably consider us for the paid stuff :)

In your opinion, how important is penetration testing?

Penetration testing is an underrated practice. If used wisely it can provide instant results that improve one's security posture in a tangible way. Many organizations are starting to share this belief and we see that happening everyday with new standards and regulations increasingly talking about pen-testing. To further this belief we also see growing interest from all kind of organizations: Fortune 1000 companies, government, military, security consulting boutiques, IT consultants

and even mid-size and small companies.

Like everything else in the infosecurity space, pen-testing is not a silver bullet, but it is really the best way to address the security problem from the viewpoint of the attacker. And that is a requirement if you are serious about your security.

What is your take on the automated vulnerability assessment services?


VPN protocol flaw allows attackers to discover users' true IP address

The team running the Perfect Privacy VPN service has discovered a serious vulnerability that affects all VPN providers that offer port forwarding, and which can be exploited to reveal the real IP address of users.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Nov 30th