Penetration Testing mailing list archives
RE: Why Penetration Test?
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Fri, 10 Jun 2005 13:41:29 -0700
IMHO, a penetration test isn't complete unless it includes some of "A" below. While you may not, as a consultant, be able to determine what vulnerabilities might impact the company the most (in terms of cost/ROI to address) you should definitely give your client some idea of the probability and impact that vulnerability being exploited. Anyone with some passing familiarity can perform a nessus scan or similar against a host and report the results (B & C below). However, the real skill is in being able to prioritize the possible holes/vulnerabilities in such a way that the client can make educated decisions on which to address and in what order. While the raw data from B & C are useful, without some context or basis for comparison the data is less useful. At least, that's how I would approach it. -Erin Carroll "Do Not Taunt Happy-Fun Ball"
-----Original Message----- From: tarunthenut () gmail com [mailto:tarunthenut () gmail com] Sent: Wednesday, June 01, 2005 11:30 PM To: pen-test () securityfocus com Subject: Why Penetration Test? I was wondering the usefulness of a penetration testing against vulnerability assessment for a company. Scenario A Cosultant "A is employed to perform a vulnerability assessment and the result is tabulated based on the business risk these vulnerabilities pose. Scenario B Cosultant "B is employed to perform a Penetration Test, discovers 10 vulnerabilities and is able to show exploit of 5 vulnerabilities. Scenario C Cosultant "C" is employed to perform a Penetration Test, discovers 10 vulnerabilities and is able to show exploit of 7 vulnerabilities. Which scenario would have more usefulness to the company? it is ovbious that the result of a PT would depend and vary from skill of a consultant to another?
Current thread:
- Why Penetration Test? tarunthenut (Jun 10)
- Re: Why Penetration Test? Terry Vernon (Jun 10)
- RE: Why Penetration Test? Erin Carroll (Jun 10)
- Re: Why Penetration Test? Brahman Thiyagalingham (Jun 10)
- Re: Why Penetration Test? cbc (Jun 10)
- Re: Why Penetration Test? Daniel Reynaud-Plantey (Jun 11)
- Re: Why Penetration Test? Amit (Jun 12)
- Re: Why Penetration Test? cbc (Jun 10)
- Re: Why Penetration Test? Rob Havelt (Jun 11)
- Re: Why Penetration Test? Petr . Kazil (Jun 11)
- Re: Why Penetration Test? Matt Curtin (Jun 20)
- <Possible follow-ups>
- RE: Why Penetration Test? DUBRAWSKY, IDO (CALLISMA) (Jun 10)
- RE: Why Penetration Test? Tony Tulio (Jun 10)
- Re: Re: Why Penetration Test? tarunthenut (Jun 13)
(Thread continues...)