Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Pentesting vs VA - was Pentesting tool - Commercial
From: Trygve Aasheim <trygve () pogostick net>
Date: Fri, 29 Feb 2008 07:59:37 +0100

The first question should be if they can be compared.

We use these two different categories of tools for two different categories of projects. As you say, the vulnerability tools are for identifying new vulnerabilities, retesting and store trend data.

The penetration testing tools and projects are aimed at finding what the consequences of a successful "pwn" in an area of our infrastructure would actually mean. Does our security countermeasures detect the compromise? Is the attacker allowed to move through the infrastructure? What can be reached? Are there any configuration mistakes that opens up the infrastructure even more, when you're already in? Can the countermeasures be reconfigured to detect the attack at an earlier stage?

All the stuff that should have been taken care of, and you want to see if it works in real life.


Robert E. Lee wrote:
On Wed, 2008-02-27 at 16:48 -0700, Andre Gironda wrote:
Using exploits on production or IT networks is unethical.  This isn't
the wild west.  You're overpaying by about $19K-$26K for what you need
when you go with Core Impact.  I don't know about ya'll, but the idea
of propagating a pseudo-worm through a corporate network seems about
as good of an idea as asking the power company to shut off electricity
to a hospital for "just a minute, to see what will happen".

When using exploits against production systems, in the best case
scenario you've altered the running state of production software.  In
the worst case, you've corrupted data or caused a loss of service.  Most
of us have accepted these potential outcomes as normal during a manual
penetration test.

The concern companies should have with the exploit frameworks is that
many of their users don't understand what the tool is doing.  The users
also don't understand what the exploit is affecting.  These tools can be
disastrous in the wrong hands.

A better use of time for most companies would be to use a thorough
vulnerability assessment and management solution.  VAM solutions can:
* Identify new vulnerabilities - far more than an exploit framework
* Assign vulnerability related tasks to the responsible Sys Admins
* Allow for retesting of the device/vulnerability to ensure the it was properly mitigated
* Show trending over time

Our customers value their ability to actually improve their situation
over their ability "Pwn" the systems they already own.


This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]