Re: Pen Test success rate

[krymson () gmail com]

42 is a good answer!

Pen-testing should probably always expect penetration if you can include social engineering, physical proximity, or 
internal access presence (insider, soft chewy interior, user/admin access,configs access, etc). But a purely external 
pen-test is a different ballgame.

Your measure of success is going to include the important variable of how much of an Internet footprint your client 
has. A large footprint may offer some holes, but a small footprint with 3 patched and configured services hiding behind 
a decent firewall may not offer you much to do at all. I wouldn't be surprised to see pen testers not break into setups 
like that.

This also changes if you're speaking about application pen testing instead of network pen testing. The size and 
security of the web application will dictate your success rates. You might not find anything in a small web site except 
perhaps some XSS or low-lying, non-fatal bugs.

You should always go in hoping and expecting to find an opening since that is what you're paid to do. But don't expect 
every external pen test to be a success from that standpoint.


<- snip ->
From: James Kelly <macubergeek (at) comcast (dot) net [email concealed]>
> Given this scenario: Red team pen test from the Internet with no 
> information or cooperation from IT staff.
>
> What would be a reasonable success rate of breaking in to say at 
> least DMZ machines? Of internal hosts on private network?

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------