Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Pen Test vs. Health Check
From: Ivan Arce <ivan.arce () coresecurity com>
Date: Thu, 29 Jan 2004 16:44:09 -0300

Rob Shein wrote:

A Pen Test is only as good as the testers and is only a snapshot. However, a network that has been secured from the inside out, with a solid secure foundation should stand the test of time, even if it is compromised the attacker may not be able to roam freely and all their actions should be recorded.

There's another factor, which is the way that a pen-tester becomes engaged
by a weak point.  In an assessment, a vulnerability is noted, and the tester
moves on, but in a pen-test, they engage that vulnerability, and follow it
like the beginning of a path into the network.  Later, they can go back to
the starting point and find another path, but it's still like trying to map
the paths through the woods on foot; it's possible to miss one.  On the
other hand, an assessment is more like mapping them from a low-flying

Right, or in other words,

A penetration test gives you depth, you understand how a small set of
vulnerabilities can be linked together into an attack and the implications of that particular attack to your organization, but you dont learn about
ALL possible paths of attack.

A vulnerability assement gives you breath, you map and identify ALL (hopefully) vulnerabilities in your network but you do not undersand how they relate to each other and how an attack could link a given subset of
them together in order to achieve a specific goal.

Iterating both processes can give you more breath in the first case and
more depth in the second.

Doing a penetration test constantly is quite expensive today hence the
perceived shortcoming of just identifing one or a few attack paths.

Doing constant vuln. scanning is, perhaps, not as expensive if you
do so from a single or a few attack points in your network topology but
will quickly become cumbersome and expensive if you want to achieve
the level of depth a pen-test provides. And there is still a need
to correlate results and construct possible attack scenerarios out
of them. The overall cost of this also increases if you consider
(as it should be) a vulnerability assesment something much more
comprehensive than just vulnerability scanning.

I suspect that the right balance for each organization is unique
to its specific needs, skillsets, budget, business practices and
core business.


To strive, to seek, to find, and not to yield.
- Alfred, Lord Tennyson Ulysses,1842

Ivan Arce

46 Farnsworth Street
Boston, MA 02210
Ph: 617-399-6980
Fax: 617-399-6987
ivan.arce () coresecurity com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]