RE: Why Penetration Test?

["Erin Carroll" <amoeba () amoebazone com>]

IMHO, a penetration test isn't complete unless it includes some of "A"
below.

While you may not, as a consultant, be able to determine what
vulnerabilities might impact the company the most (in terms of cost/ROI to
address) you should definitely give your client some idea of the probability
and impact that vulnerability being exploited.

Anyone with some passing familiarity can perform a nessus scan or similar
against a host and report the results (B & C below). However, the real skill
is in being able to prioritize the possible holes/vulnerabilities in such a
way that the client can make educated decisions on which to address and in
what order. While the raw data from B & C are useful, without some context
or basis for comparison the data is less useful.

At least, that's how I would approach it.


-Erin Carroll
"Do Not Taunt Happy-Fun Ball"


> -----Original Message-----
> From: tarunthenut () gmail com [mailto:tarunthenut () gmail com] 
> Sent: Wednesday, June 01, 2005 11:30 PM
> To: pen-test () securityfocus com
> Subject: Why Penetration Test?
>
> I was wondering the usefulness of a penetration testing 
> against vulnerability assessment for a company. 
>
> Scenario A
> Cosultant "A  is employed to perform a vulnerability 
> assessment and the result is tabulated based on the business 
> risk these vulnerabilities pose.
>
> Scenario B
> Cosultant "B is employed to perform a Penetration Test, 
> discovers 10 vulnerabilities and is able to show exploit of 5 
> vulnerabilities.
>
> Scenario C
> Cosultant "C" is employed to perform a Penetration Test, 
> discovers 10 vulnerabilities and is able to show exploit of 7 
> vulnerabilities.
>
> Which scenario would have more usefulness to the company? it 
> is ovbious that the result of a PT would depend and vary from 
> skill of a consultant to another?