Penetration Testing mailing list archives
RE: Vulnerability Assessment vs. PenTest
From: "StyleWar" <stylewar () cox net>
Date: Sun, 6 Aug 2006 11:43:22 -0500
Daniel, To use your language, it may be true that we are all seasoned professionals -- but it is likely also true that we are not all equal in our seasoning. We should recognize THAT CAUSE as a potential explanation for the disagreement, and let the crucible of truth burn off all the bad opinions, rather than give each opinion equal merit and say that "it's more art than science." I agree that this specialty involves artful sections, I also feel pretty strongly that what you describe is merely incredible aptitude for one skillset or another. More than once I've stood next to a gent and wondered what sort of magic he used to accomplish his tasks...it might has well have been art, because I understood science, but I didn't understand how HE did it. So - for whatever it's worth --- while some specialties are not easily understood or accomplished by all, we should be careful not to use the 'art' analogy as a broad brush method for explaining away a lack of our own depth in any of them.... - StyleWar "Happiness makes up for in height, what it lacks in length"
-----Original Message----- From: Daniel Accioly Rosa [mailto:listas.accioly () terra com br] Sent: Saturday, August 05, 2006 7:40 PM To: pen-test () securityfocus com Subject: RE: Vulnerability Assessment vs. PenTest What I find most interesting in these discussions is that even tough we are all seasoned professionals, we can't agree 100% on a definition neither to Vulnerability Assessment or Pen Testing. What lesson should we take from this? I'm not saying that we don't know what we are doing (most of use here are very good professionals), but maybe there is too much "art" in this job... Each day that goes by I believe more and more that we need to agree on common grounds on how we perform our duties... You are right StyleWar, coffee now would be nice.. :) Daniel Accioly Rosa, CISA CISSP daniel.accioly[AT]terra.com.br -----Original Message----- From: StyleWar [mailto:stylewar () cox net] Sent: 06 August 2006 01:01 To: sol () haveyoubeentested org; 'Mark Ausley, CISSP' Cc: pen-test () securityfocus com Subject: RE: Vulnerability Assessment vs. PenTest I can break it down like legos. The value proposition of a pen test is an understanding of whether the investment into detection and response is at an appropriate level. The value proposition of a vulnerability assessment is an understanding of whether internal controls such as patch management, physical security etc. are adequate given a specific risk tolerance. Although one may use elements of the other, they are, and will forever be- very different things (despite the boutique's attempts to make them 'the same thing'). In the hands of a good pen tester, a pen test does NOT have to exploit vulnerabilities in order to achieve its value proposition. In the hands of a good analyst, a vulnerability assessment will avoid excessive commentary on specific exploitable conditions, and instead expose the flaws that created the opportunity for those vulnerabilities to exist in that environment in the first place... ...Now-- go get me some coffee...Teaching makes me tired. :) - StyleWar "never underestimate the dousing effect of cubicles and consensus management on the candles of creativity and leadership"-----Original Message----- From: Sol Invictus [mailto:sol () haveyoubeentested org] Sent: Saturday, August 05, 2006 7:13 AM To: Mark Ausley, CISSP Cc: pen-test () securityfocus com Subject: RE: Vulnerability Assessment vs. PenTest You guys are making this way too complicated. The only difference between a Vulnerability Assessment and a Penetration Test is the fact that a Pen test will verify that the vulnerabilities are in fact exploitable by actuallyexploiting thosevulnerabilites. Many services will perform a VA and never run any exploitsand try topass it as a Pen test. If you have someone doing that,then they aretrying to overcharge you. The price between a VA and a Pen-test can be significant. Why is that? it's the level of responsibility that the Pen-testers must take. It's very important that your Service provider know thedifference andis able to explain the difference. If they can't do that then you should not use their services. If they have a high pricedVA then youneed them to justify the "value adds". Sol. On Sat, 2006-08-05 at 00:47 -0400, Mark Ausley, CISSP wrote:A Vulnerability Assessment can vary in scale and complexitybut willgenerally include the following: 1. External scan with Nessus, STAT, Retina, etc to obtain general security posture of systems. 2. Internal scan with something like CIS tools, DISAscripts, GoldDisk etc to assess the configuration of the systems andtheir patch levels, etc.There is some overlap between these first two steps. 3. Review system architecture and associated documentation. 4. Interview SysAdmins & Engineers on system operation. 5. Review existing policy, procedures, SOPs, etc. 6. Perform and document the risk analysis. A PEN test on the other hand can include any number ofthe VA itemsbut usually include a much wider array of testing tools. A PEN test is usually a few hours to a few days asopposed to a VAwhich can take months to perform. Also, during PEN testsyou usuallyhave little knowledge of the target systems prior to thetest. A VAinvolves unrestricted access and knowledge of the target systems. A PEN test usually has a pre-set goal. The scope of thetesting andits goal is usually spelled out to the tester and can belimited orunlimited. A PEN test can be more likely to break ordisrupt normaloperations than a VA and always requires official documentsindicating what is allowed.PEN tests really illustrate the relationship ofvulnerabilities andhow they can string together to open a hole in whatappeared to be a solid wall.-- Mark -----Original Message----- From: James Harless [mailto:jharless () kidwellcompanies com] Sent: Friday, August 04, 2006 4:57 PM To: pen-test () securityfocus com Subject: Vulnerability Assessment vs. PenTest Where is the line between a Vulnerability Assessment and aPenTest?In other words, which tests do you run which identifies your assessment as a pentest rather than a VA? And, related, do VAs still have value? Do you feel thata PenTestincludes everything that a VA would (and more)? My thoughts are that a VA is just an effort to document all the identified and potential vulnerabilities on a network. APenTest isan attempt to identify those vulnerabilities and thenexploit some ofthem to verify their weakness. James---------------------------------------------------------------------------- -- This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through webapplicationscontinue to rise, you need to proactively protect yourapplicationsfrom hackers. Cenzic has the most comprehensive solutionsto meet yourapplication security penetration testing and vulnerabilitymanagementneeds. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (CenzicHailstorm). DownloadFREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for youto confirmyour results from other product. Contact us atrequest () cenzic com for details.---------------------------------------------------------------------------- -------------------------------------------------------------------------------- This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through webapplicationscontinue to rise, you need to proactively protect yourapplicationsfrom hackers. Cenzic has the most comprehensive solutionsto meet yourapplication security penetration testing and vulnerabilitymanagementneeds. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (CenzicHailstorm). DownloadFREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for youto confirmyour results from other product. Contact us atrequest () cenzic com for details.-------------------------------------------------------------------------------------------------------------------------------------------- ---------------- This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through webapplicationscontinue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutionsto meet yourapplication security penetration testing and vulnerabilitymanagementneeds. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for youto confirmyour results from other product. Contact us atrequest () cenzic com fordetails. -------------------------------------------------------------- ------------------------------------------------------------------------------ -------------- -- This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. -------------------------------------------------------------- -------------- -- -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.5/407 - Release Date: 03/08/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.5/407 - Release Date: 03/08/2006 -------------------------------------------------------------- ---------------- This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. -------------------------------------------------------------- ----------------
------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- Vulnerability Assessment vs. PenTest James Harless (Aug 04)
- RE: Vulnerability Assessment vs. PenTest Mark Ausley, CISSP (Aug 04)
- RE: Vulnerability Assessment vs. PenTest Sol Invictus (Aug 05)
- RE: Vulnerability Assessment vs. PenTest StyleWar (Aug 05)
- RE: Vulnerability Assessment vs. PenTest Daniel Accioly Rosa (Aug 05)
- RE: Vulnerability Assessment vs. PenTest StyleWar (Aug 06)
- RE: Vulnerability Assessment vs. PenTest Mark Ausley, CISSP (Aug 05)
- RE: Vulnerability Assessment vs. PenTest StyleWar (Aug 06)
- RE: Vulnerability Assessment vs. PenTest Sol Invictus (Aug 06)
- RE: Vulnerability Assessment vs. PenTest Arian J. Evans (Aug 21)
- RE: Vulnerability Assessment vs. PenTest Sol Invictus (Aug 05)
- RE: Vulnerability Assessment vs. PenTest Mark Ausley, CISSP (Aug 04)
- <Possible follow-ups>
- Re: Vulnerability Assessment vs. PenTest Bob Radvanovsky (Aug 04)
- Re: Vulnerability Assessment vs. PenTest Alice Bryson <abryson () bytefocus com> (Aug 05)
- Re: Vulnerability Assessment vs. PenTest Arkem Paul (Aug 05)
- Re: Vulnerability Assessment vs. PenTest Christine Kronberg (Aug 06)
- Re: Vulnerability Assessment vs. PenTest Alice Bryson <abryson () bytefocus com> (Aug 05)