Re: Penetration Testing or Vulnerability Scanning?

[Ivan Arce <core.lists.pentest () corest com>]

It is interesting how views differ on this topic.

From my experience (the company I work for has been providing
penetration test services for 6 years and also has commercial
software offering for the practice) almost all our PT engagements
included actual exploitation of vulnerabilities and further escalation
of priviledges and trust relationships to go deeper into internal
networks.

The essential concept about a pentest is that it tries to replicate
a real attack to assess the security posture of the tested organization,
to understand its risks and possible outcome of a real world attack.
It is really hard to achieve that goal if the tester stops at the first 
suspected vulnerabilities found from the outside and does not actually 
exploit them. That would be no different than running a bunch of vuln 
scanners against public servers and glueing together their output into
something called 'final report'. I firmly belive that a professional
penetration test is ALOT more than that.

A penetration test should try to go a deep as possible into the tested
organization given the predefined goals and time and scope constrains.
However, as many pointed out, it is not a comprehensive assessment and will 
not enumerate all existing vulnerabilities in a given infrastructure.


Vulnerability scanning on the other hand takes a breath first approach
and tries to reveal all *known* vulnerabilities in all tested assets.
This is a quite usefull approach for periodic scanning and general
remediation of detected vulnerabilities. Scanning will reveal known
bugs and tell out to fix them, but it will NOT (no matter what the
fancy reports say) explain what is the real impact of those vulnerabilities
since at its very nature a vuln scanner's output is just an enumeration of
bugs and their associated fixes. The automatic addition of a "risk level"
factor in scanner's reports does not relate to actual risk in a particular
infrastructe since it does not take into account the organization's
business processes and procedues and does not correlate all found 
vulnerabilities to undestand more than simplistic trust relationships and
configuration errors.


The real value of penetration testing and vulnerability scanning will become
more evident only if all stakeholders in those processes have a clear 
understanding of their limitations.

-ivan


Bennett Todd wrote:
> Penetration Testing and Vulnerability Scanning are areas with a lot
> of overlap. The difference between the two is less in the exact menu
> of tools used, and more the context and application.
>
> In whitehat applications the two categories differ more in who is
> doing it, where, and why, and what surrounding activities they
> perform, and less on exactly what the heart of scan does.
>
> Penetration Testing I've most often seen used to describe an
> external vulnerability assessment. The customer will negotiate a
> contract with the provider, and very often (at least every case I've
> been involved with:-) the contract will completely prohibit
> exploitation of holes found, acknowleging that without that
> exploitation the pentester can not guarantee that some additional
> protection behind the facade might have actually prevented the
> successful exploitation of the found hole. Pen-testing is routinely
> performed from the internet at the outside perimeter of the target,
> and the negotiated contract has terms limiting what will be
> attempted --- no DoS, no exploitation, only during agreed-on time
> windows, only from IP addrs which have been announced to the target
> before the scan begins, that sort of thing.
>
> Vunerability Scanning I've seen as a task normally carried out by
> security engineers within the organization; they may use open source
> components, homebrew tools, commercial proprietary products, or some
> mix of the lot, but the emphasis is on periodic scanning of the
> whole net --- with emphasis on the inside net, behind the firewall
> --- to find config errors and rogue machines and the like. I could
> see a vulnscanning plan that included use of exploitation to
> followup and confirm that claimed found vulns are in fact
> exploitable.
>
> -Bennett



--- for a personal reply use: ivan.arce () corest com

----------------------------------------------------------------------------

Are your vulnerability scans producing just another report?
Manage the entire remediation process with StillSecure VAM's
Vulnerability Repair Workflow.
Download a free 15-day trial:
http://www2.stillsecure.com/download/sf_vuln_list.html