Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: What a security test should do?- from thinking about: Ethical Hacking Training
From: Frank Knobbe <frank () knobbe us>
Date: Fri, 23 Jan 2004 22:01:02 -0600

On Fri, 2004-01-23 at 14:32, Pete Herzog wrote:
What does a pen test fail to provide?

I had to think about this for a little while because it's not so much
to me
what someone needs to know to be a security manager, CISO, or security
consultant, but rather what do we expect from a security test?

I know what pen-tests have been used for but I think a lot of that is
also
under-analyzing the results of a pen-tset.  As an auditor of pen-test
reports for some companies, I see many of these reports focusing on
software
vulnerabilities, 


Pete,

could it be that they are confusing Penetration Tests with Vulnerability
Assessments or Security Reviews? The way I see it, vuln assessments take
a broad approach, looking at things in _breadth_. It includes software,
hardware, network/app concepts and design, physical, policy, and
whatever else should be included in the scope. Pen tests on the other
hand look at things in _depth_. It is a focused effort to find the weak
points (one or a couple if time/scope permits) and penetrate existing
defenses, keeping record on what needs to be improved. 

Both serve a different purpose and have a different approach. A pen test
will most likely not find every vulnerability, while a vuln assessment
does not exploit found vulnerabilities. Vuln assessments provide a more
quantitative description of the security controls while pen tests
provide a more qualitative description.

I like the open source testing methodology, but I think it should be
split into two categories to provide two guides, one for each type of
review.

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]