Penetration Testing mailing list archives

Re: Security Audit

From: Rob J Meijer <rmeijer () xs4all nl>
Date: Fri, 7 Sep 2001 17:41:56 +0200 (CEST)



On 6 Sep 2001, bluefur0r bluefur0r wrote:

Here are my experiences although this thread will be put to death soon...
When asked by sales/billing dept. They ask me: "how long will this take?" 
here's an for you all. Ask for the audit to be done in two phases.
Automated scanning (eg vuln-assessment) nmap, nessus, other automated
tools whisker ect. and then the pen-test. The reason for this is once
you do the automated scan you know exactly how many boxes are up, 
what services are running and what might exist on the webservers. 
This will help you greatly in gauging the time it will take to do the 
pen-test. 
Now you all the information you'd need to start the pen-test.
In the past I made a grave error... (when i first started ;P). 
I did the automated scans then penetrated with JUST the results I had from 
the automated scans. As I reflect, I realize that was not an audit but
just a pen-test. Yeah great give them the report with how you broke in.
But I missed a lot of information! What about the application layer?
What about custom cgi's? Audits are ment for one reason. To be through 
and try to find! every single hole you can.


This seems to be a widely spread misconception.
The actual holes are only a small part of security and thus of a security
audit, but also of the penetration test phase itself.
Just auditing the 'crunchy outside' by looking for 'every single hole you
can find' does in no way constitute a complete audit or even a
complete penetration test. 

A major part of the security assesment should be an evaluation of the
provided containment and concequent risks for all systems that could
possibly contain holes that are not known at the time of the audit.

Security is not just about bugs, its 'MOSTLY' about 'CONTAINMENT' and thus
security assesments and penetration tests, and with them the time needed
to complete them should also be mainly about auditing the containment of 
systems with unknown bugs/holes and not just about finding as much as
possible known and unknown bugs/holes in these systems.



Rob


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Re: Security Audit, (continued)
- Re: Security Audit H Carvey (Sep 06)
- RE: Security Audit Filer, Eddie (ZA - Johannesburg) (Sep 06)
- RE: Security Audit Wertheimer, Ishai (Sep 06)
  - Re: Security Audit Erik Tayler (Sep 06)
  - Re: Security Audit Renaud Deraison (Sep 07)
    - Re: Security Audit Justin Stanford (Sep 07)
    - Re: Security Audit bacano (Sep 10)
- RE: Security Audit Roberts, Kevin S (Sep 06)
- RE: Security Audit Ogle Ron (Rennes) (Sep 06)
- Re: Security Audit bluefur0r bluefur0r (Sep 06)
  - Re: Security Audit Rob J Meijer (Sep 07)
- RE: Security Audit Aleksander Czarnowski (Sep 07)
- RE: Security Audit Ogle Ron (Rennes) (Sep 10)
- Re: Security Audit H Carvey (Sep 10)
  - Re: Security Audit bacano (Sep 10)
    - How to discover FW-1 management module or GUI? Carmelo Floridia (Sep 12)
    - Re: How to discover FW-1 management module or GUI? Sheik Abdulla (Sep 13)
    - Re: How to discover FW-1 management module or GUI? Alex Butcher (Sep 13)
    - Re: How to discover FW-1 management module or GUI? Michael Batchelder (Sep 14)
    - Re: How to discover FW-1 management module or GUI? Gareth Bromley (Sep 23)
    - Re: How to discover FW-1 management module or GUI? The Crocodile (Sep 16)

(Thread continues...)