Not long after I started in performance testing, I was debugging a script. It didn’t seem to like one of the requests the script
made, so I did what I would have done at home. I ran through the procedure manually, and watched in Wireshark.
I told a colleague about this, and he said “Don’t ever do that again, and don’t tell anyone that you did it”. The client I was working for at the time were very nervous about security, and would have been furious that I’d used Wireshark on their network.
The basic problem is that they saw Wireshark as a weapon for hackers. It’s
far more acceptable to re-record the script in a more business-like tool, like
LoadRunner VUGen, and compare the new and the old
The difference between a tool and a weapon is mostly semantics.
In the wrong hands, VUGen is just as dangerous as Wireshark –
in fact it’s more dangerous, in some ways, as it can hook into secure
It’s a common problem. A port scanner’s a really
easy way of checking connectivity to a remote server, but terrifies system administrators.
So, instead, everyone checks is a port’s open with
telnet <hostname> <port>.
By forcing IT people to use business-like tools, businesses are forcing them
to use the wrong tool for the job. If their IT people are worth their salt,
they can do just as much damage with these business “tools” as with hacker “weapons”.
Security is an illusion.
Businesses have to trust their IT people. Security measures don’t make IT people any safer,
they just make them less productive.