Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: What is being a pen tester really like?
From: "Richard Feist" <richard () bluesec net>
Date: Thu, 3 Aug 2006 06:58:45 +1200

The question is ... 

Do you then continue to check all the doors , windows and any other outlets,
the parking lot, etc, etc... Once finished, report it all back including how
/ what was checked, when and why.

And then a pen test goes from just a pen test to security assessment :-) 

-----Original Message-----
From: Michael Weber [mailto:mweber () alliednational com] 
Sent: 03 August 2006 00:34
To: arian.evans () anachronic com; pen-test () securityfocus com
Subject: RE: What is being a pen tester really like?

Greetings, all!

I don't want to wade into the issue of charlatans, but I do 
have a pretty easy to understand analogy I use to compare pen 
tests and VA's.

Let's say I am a security guard at a shopping mall.  My job 
is to make sure all the doors are locked as I make my rounds. 
 If I walk up to a door that is unlocked and turn the handle 
but I don't enter, that's a VA.  If I walk in, make sure no 
other alarms go off, and leave a note on a desk that tells 
the owner that they left their door unlocked, that's a pen test.

My customers usually understand it when I move it to a 
physical security scenerio.

As always, YMMV!

-Michael

arian.evans () anachronic com 8/1/2006 2:57:57 PM >>>
<snip>

I struggle regularly to explain the difference between a 
"vulnerability 
assessment" and a pen test, due to the fact that too many folks pimp 
pen test offerings that are just automated VA with a personal touch, 
like Paul described. That, however, is the problem, not the answer.

It is not pen-testing if there is no penetration.






E-MAIL CONFIDENTIALITY NOTICE: This communication and any associated
file(s) may contain privileged, confidential or proprietary 
information or be protected from disclosure under law 
("Confidential Information").  Any use or disclosure of this 
Confidential Information, or taking any action in reliance 
thereon, by any individual/entity other than the intended 
recipient(s) is strictly prohibited.  This Confidential 
Information is intended solely for the use of the
individual(s) addressed. If you are not an intended 
recipient, you have received this Confidential Information in 
error and have an obligation to promptly inform the sender 
and permanently destroy, in its entirety, this Confidential 
Information (and all copies thereof).  E-mail is handled in 
the strictest of confidence by Allied National, however, 
unless sent encrypted, it is not a secure communication 
method and may have been intercepted, edited or altered 
during transmission and therefore is not guaranteed.



--------------------------------------------------------------
----------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win 
the Analyst's Choice Award from eWeek. As attacks through web 
applications continue to rise, you need to proactively 
protect your applications from hackers. Cenzic has the most 
comprehensive solutions to meet your application security 
penetration testing and vulnerability management needs. You 
have an option to go with a managed service (Cenzic 
ClickToSecure) or an enterprise software (Cenzic Hailstorm). 
Download FREE whitepaper on how a managed service can help 
you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to 
confirm your results from other product. Contact us at 
request () cenzic com for details.
--------------------------------------------------------------
----------------




--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.5/405 - Release 
Date: 01/08/2006




------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]