Penetration Testing mailing list archives
Re: Penetration Testing or Vulnerability Scanning?
From: Doug Foster <fosterd () airshow net>
Date: 09 Mar 2003 19:38:10 -0500
I like the explanation in the new FFIEC Information Security booklet: "Penetration tests, audits, and assessments can use the same set of tools in their methodologies. The nature of the tests, however, is decidedly different. Additionally, the definitions of penetration test and assessment, in particular, are not universally held and have changed over time. Penetration Tests. A penetration test subjects a system to the real-world attacks selected and conducted by the testing personnel. The benefit of a penetration test is to identify the extent to which a system can be compromised before the attack is identified and assess the response mechanism’s effectiveness. Penetration tests generally are not a comprehensive test of the system’s security and should be combined with other independent diagnostic tests to validate the effectiveness of the security process. Audits. Auditing compares current practices against a set of standards. Industry groups or institution management may create those standards. Institution management is responsible for demonstrating that the standards they adopt are appropriate for their institution. Assessments. An assessment is a study to locate security vulnerabilities and identify corrective actions. An assessment differs from an audit by not having a set of standards to test against. It differs from a penetration test by providing the tester with full access to the systems being tested. Assessments may be focused on the security process or the information system. They may also focus on different aspects of the information system, such as one or more hosts or networks." -- Doug On Fri, 2003-03-07 at 01:07, Rizwan Ali Khan wrote:
When usually we talk about penetration testing tools, people mosly refer to Vulnerability Scanners like iss, typhon, nessus, cybercop etc. However penetration testing tools are those who penetrate as well, the above scanners do not do that. One needs to have a working version of SSH exploit for the SSH vulnerability detected by the vulnerability scanner, so is it necessary for penetration tester to have access to the latest of underground exploit? or could all this be done in an ethical manner too? please guide I am so confused between two of these methodologies. __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ ---------------------------------------------------------------------------- Are your vulnerability scans producing just another report? Manage the entire remediation process with StillSecure VAM's Vulnerability Repair Workflow. Download a free 15-day trial: http://www2.stillsecure.com/download/sf_vuln_list.html
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Penetration Testing or Vulnerability Scanning? Rizwan Ali Khan (Mar 07)
- RE: Penetration Testing or Vulnerability Scanning? Rob Shein (Mar 09)
- Re: Penetration Testing or Vulnerability Scanning? Bennett Todd (Mar 09)
- Re: Penetration Testing or Vulnerability Scanning? Ivan Arce (Mar 13)
- Re: Penetration Testing or Vulnerability Scanning? Doug Foster (Mar 11)