Penetration Testing mailing list archives
Re: What a security test should do?- from thinking about: Ethical Hacking Training
From: Frank Knobbe <frank () knobbe us>
Date: Fri, 23 Jan 2004 22:01:02 -0600
On Fri, 2004-01-23 at 14:32, Pete Herzog wrote:
What does a pen test fail to provide? I had to think about this for a little while because it's not so much to me what someone needs to know to be a security manager, CISO, or security consultant, but rather what do we expect from a security test? I know what pen-tests have been used for but I think a lot of that is also under-analyzing the results of a pen-tset. As an auditor of pen-test reports for some companies, I see many of these reports focusing on software vulnerabilities,
Pete, could it be that they are confusing Penetration Tests with Vulnerability Assessments or Security Reviews? The way I see it, vuln assessments take a broad approach, looking at things in _breadth_. It includes software, hardware, network/app concepts and design, physical, policy, and whatever else should be included in the scope. Pen tests on the other hand look at things in _depth_. It is a focused effort to find the weak points (one or a couple if time/scope permits) and penetrate existing defenses, keeping record on what needs to be improved. Both serve a different purpose and have a different approach. A pen test will most likely not find every vulnerability, while a vuln assessment does not exploit found vulnerabilities. Vuln assessments provide a more quantitative description of the security controls while pen tests provide a more qualitative description. I like the open source testing methodology, but I think it should be split into two categories to provide two guides, one for each type of review. Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- What a security test should do?- from thinking about: Ethical Hacking Training Pete Herzog (Jan 23)
- RE: What a security test should do?- from thinking about: Ethical Hacking Training Rob Shein (Jan 23)
- RE: What a security test should do?- from thinking about: Ethical Hacking Training Jerry Shenk (Jan 25)
- Re: What a security test should do?- from thinking about: Ethical Hacking Training Meritt James (Jan 23)
- Re: What a security test should do?- from thinking about: Ethical Hacking Training James Fields (Jan 25)
- Re: What a security test should do?- from thinking about: Ethical Hacking Training Frank Knobbe (Jan 25)
- RE: What a security test should do?- from thinking about: Ethical Hacking Training Rob Shein (Jan 23)