Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Vulnerability Assessment vs. PenTest
From: "Arian J. Evans" <arian.evans () anachronic com>
Date: Sun, 20 Aug 2006 18:01:31 -0500

This thread sure went on a long time without covering
the second noun in the subject.

***Penetration Test***

"You don't need to penetrate to verify" is a tired,
lame excuse sold by insufficiently skilled or incompetent
testers for a "penetration test".

Marcus Ranum made better arguments against penetration
tests years ago, but they do not hold water any more
than equivocating about this discussion by asking "did
the bear soil the woods if no one heard him?" questions.

***Defect Detection***

Simply observe the world of manufacturing. Items requiring
rigorous levels of tolerance, say splines or blades
in a jet engine, undergo an array of defect detection
mechanisms, from liquid UV tests to hand inspection to
finally, spinning the assembled engine up and putting
it under load.

Explore and verify. You don't just audit the design or
analyze the documented process that the spline groover
follows, or her historical trend of consistently following
a documented process to create splines.

A penetration test is simply one verification mechanism
in the poorly defined toolkit we have at our disposal
to verify security posture.

A penetration test is analogous to spinning up the
engine and putting it under load.

***Not Defect Detection***

It ain't a pen test if no one tries to penetrate. There
is NO other definition here without playing rhetorical
games that best belong in a scanner marketing slick.
You DO NOT KNOW what is under the hood unless you check.

The bottom line is that "penetration not needed" is sold
as an excuse for lack of depth, ability, and knowledge.

***Don't confuse the Pen with the Tester***

There are technically skilled, but business and risk
myopic pen testers that cannot communicate or contextualize
technical results in a meaningful manner.

We aren't talking about that. We are talking about the
act of exploration & verification, which is essential.

Whilst CS Lewis-style equivocation is clever, there is
a sharp difference between penetration testing and any
other noun in related security assessment verbiage.

Whether or not the act of penetration is detected, stopped,
spoiled, soiled, or stymied, it is undertaking the actions
of exploration and verification that counts.

Anything else is...well...not "penetration testing", no
matter how rigorously you write about it.

Arian J. Evans

-----Original Message-----
From: StyleWar [mailto:stylewar () cox net] 
Sent: Sunday, August 06, 2006 11:26 AM
To: sol () haveyoubeentested org
Cc: pen-test () securityfocus com
Subject: RE: Vulnerability Assessment vs. PenTest

So - by your logic - if you bring a bangin sharp pen-tester 
in, and he's
caught and his ingress methods are mitigated while still in 
the footprinting
stage, that a pen-test did not actually occur... is that it? Or -- if
physical security is 'pen-tested' and the tester is caught in 
the parking
lot without credentials... no pen test existed or occurred eh?

Quit trying to convince yourself of your own dogma and read for

Sol wrote:

In the hands of a good pen tester, a pen test does NOT 
have to exploit 
vulnerabilities in order to achieve its value proposition.

If there's no verification of the vulnerabilities using 
exploits then it's
not a Penetration test.  What part of >penetration don't you 
Anything less is a Vulnerability assessment.  Period.


This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]