Hi Todd,
You bring up some very good questions: :-) When I say vulnerability
assessment, I should have added "Automated" to the beginning.
> What is the difference between vuln assessment and pen test?
IMHO: It's a fine line between assessing possible access points and
entering access points.
> I have not done either but this seems like a highly subjective area to me.
Agreed
> Are you really going to do a vuln assess on a dynamic web site - with all
> its custom scripts and database connectivity and possibly middleware - in 20
> minutes?
I mentioned "Once Over" for a reason. :P This is just a base to work
from. Some customers want a view of 30,000 feet, some want a 100 feet.
> It sounds like a vuln assess consists of running Nessus or
> something similar, searching bugtraq archives and possibly throwing in a
> google search for extra credit.
Yes, that is basically one way you can accomplish it. Nessus is a great
tool when used properly can accomplish wonderful things. (Baby Sit
Children, Leap Tall Buildings, etc :-P ) Although, I wouldn't recommend
giving customers canned nessus reports. ;-)
> Even on a workstation it seems like you couldn't get much done in 20
> minutes. I don't even see how you could reliably enumerate all the
> installed software in less than 20 minutes.
Are you going to really enumerate all installed software without
penetrating the computer?
-Forrest
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Received on Sep 06 2001
Intro
