mailing list archives
Re: What a security test should do?- from thinking about: Ethical Hacking Training
From: Frank Knobbe <frank () knobbe us>
Date: Fri, 23 Jan 2004 22:01:02 -0600
On Fri, 2004-01-23 at 14:32, Pete Herzog wrote:
What does a pen test fail to provide?
I had to think about this for a little while because it's not so much
what someone needs to know to be a security manager, CISO, or security
consultant, but rather what do we expect from a security test?
I know what pen-tests have been used for but I think a lot of that is
under-analyzing the results of a pen-tset. As an auditor of pen-test
reports for some companies, I see many of these reports focusing on
could it be that they are confusing Penetration Tests with Vulnerability
Assessments or Security Reviews? The way I see it, vuln assessments take
a broad approach, looking at things in _breadth_. It includes software,
hardware, network/app concepts and design, physical, policy, and
whatever else should be included in the scope. Pen tests on the other
hand look at things in _depth_. It is a focused effort to find the weak
points (one or a couple if time/scope permits) and penetrate existing
defenses, keeping record on what needs to be improved.
Both serve a different purpose and have a different approach. A pen test
will most likely not find every vulnerability, while a vuln assessment
does not exploit found vulnerabilities. Vuln assessments provide a more
quantitative description of the security controls while pen tests
provide a more qualitative description.
I like the open source testing methodology, but I think it should be
split into two categories to provide two guides, one for each type of
Description: This is a digitally signed message part