I hesitate to say that visio is only useful in pen-testing, because it can also be useful in developing a secure architecture, or a web page, and really just putting all the moving parts onto your screen (or paper) so that you can look at the big picture.

I use Visio to diagram networks and web pages that I’m looking at. The network diagramming is pretty obvious – a lot of people use Visio for network diagrams anyway.

Where the value comes for security folks is in the details you’re willing to add to the diagram – what ports are open on the firewall and what servers do they go to?

Another use for Visio is mapping out web pages. You can map out all of the POST and GET variables and cookies that are submitted for each page.

Again, the more detail you’re willing to put into the diagram, the more useful it will be.

So, what’s wrong with just drawing it out? I mean Visio takes a while to draw even fairly simple diagrams. Most people’s handwriting/drawing skills leave a lot to be desired (unless you trained as an engineer or architect), and many times, you’re working with a group of people and need to share the information. Chicken scratch doesn’t help get the needed information across.

2 thoughts on “Visio in Security Testing

  1. Grecs says:

    Any thoughts on open source alternatives?

  2. I really liked Dia (http://live.gnome.org/Dia) when I was in grad school – although it’s more focused on technical drawing (UML, circuit design, etc). It’s a pretty decent substitute for Visio, but it’s not compatible (ie, you can’t open visio in dia and dia in visio). I used it for UML and circuit diagrams in college, and it does *very* well at that.

Comments are closed.