Penetration Testing mailing list archives

Re: Is Pentesting Goal Oriented, or Coverage Oriented?

From: Michal Zalewski <lcamtuf () coredump cx>
Date: Sun, 4 Oct 2009 22:14:51 -0700

Johannes's position is that a pentest that attains a goal, e.g. root access
or a database dump, and then stops is an incomplete and poor pentest. He
believes a good pentester should continue finding as many vulnerabilities as
he can.

I hold the opposite view, which is that a penetration test is, by
definition, focused on achieving a specific goal, and that if the aim of
testing is to find as many vulnerabilities as possible the type of test
you're performing is a vulnerability assessment.


Well, pentesting is not an abstract art form - you're performing a
service for a specific customer. Some customers are more interested in
demonstrating the impact of flaws in their infrastructure, so that
they have a compelling argument to request or allocate additional
resources to more in-depth audits or preventive efforts.

Other customers want to get a reasonably good coverage of their
external perimeter, but the final recipients of the report are tech
savvy enough not to require mad stunts to be pulled off - say, they
can figure out there is a problem if you just mention they had an
outdated version of something, or a weak password, without actually
spending several days trying to exploit it and root as much of their
network as possible.

In both cases, you are expected to deliver what they want, noting the
trade-offs appropriately. I'd wager to say that internally, you should
still always plan ahead for optimal coverage, though - otherwise, poor
planning coupled with a sufficiently large and complicated target is a
recipe for doing a subpar job.

Personally... I consider myself lucky never having to work for an
organization where the security team would either lack the internal
expertise, or the external authority, to require stunt-like
deliverables at the expense of coverage; but there are many folks in
the industry who are not so lucky, or simply disagree with this view.

/mz

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

Is Pentesting Goal Oriented, or Coverage Oriented? Daniel Miessler (Oct 04)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Michal Zalewski (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Zack Payton (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Jerome Athias (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Ramki B Ramakrishnan (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Chris Griffin (Oct 05)
  - Re: Is Pentesting Goal Oriented, or Coverage Oriented? David Howe (Oct 06)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Kevin L. Shaw, CISSP, GCIH (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Chris Brenton (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Marco Ivaldi (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Robin Wood (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Tim (Oct 05)

(Thread continues...)