Penetration Testing mailing list archives
RE: Vulnerability Assessment vs. PenTest
From: "Mark Ausley, CISSP" <Mark () markausley com>
Date: Sat, 5 Aug 2006 00:47:15 -0400
A Vulnerability Assessment can vary in scale and complexity but will generally include the following: 1. External scan with Nessus, STAT, Retina, etc to obtain general security posture of systems. 2. Internal scan with something like CIS tools, DISA scripts, Gold Disk etc to assess the configuration of the systems and their patch levels, etc. There is some overlap between these first two steps. 3. Review system architecture and associated documentation. 4. Interview SysAdmins & Engineers on system operation. 5. Review existing policy, procedures, SOPs, etc. 6. Perform and document the risk analysis. A PEN test on the other hand can include any number of the VA items but usually include a much wider array of testing tools. A PEN test is usually a few hours to a few days as opposed to a VA which can take months to perform. Also, during PEN tests you usually have little knowledge of the target systems prior to the test. A VA involves unrestricted access and knowledge of the target systems. A PEN test usually has a pre-set goal. The scope of the testing and its goal is usually spelled out to the tester and can be limited or unlimited. A PEN test can be more likely to break or disrupt normal operations than a VA and always requires official documents indicating what is allowed. PEN tests really illustrate the relationship of vulnerabilities and how they can string together to open a hole in what appeared to be a solid wall. -- Mark -----Original Message----- From: James Harless [mailto:jharless () kidwellcompanies com] Sent: Friday, August 04, 2006 4:57 PM To: pen-test () securityfocus com Subject: Vulnerability Assessment vs. PenTest Where is the line between a Vulnerability Assessment and a PenTest? In other words, which tests do you run which identifies your assessment as a pentest rather than a VA? And, related, do VAs still have value? Do you feel that a PenTest includes everything that a VA would (and more)? My thoughts are that a VA is just an effort to document all the identified and potential vulnerabilities on a network. A PenTest is an attempt to identify those vulnerabilities and then exploit some of them to verify their weakness. James ---------------------------------------------------------------------------- -- This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ---------------------------------------------------------------------------- -- ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- Vulnerability Assessment vs. PenTest James Harless (Aug 04)
- RE: Vulnerability Assessment vs. PenTest Mark Ausley, CISSP (Aug 04)
- RE: Vulnerability Assessment vs. PenTest Sol Invictus (Aug 05)
- RE: Vulnerability Assessment vs. PenTest StyleWar (Aug 05)
- RE: Vulnerability Assessment vs. PenTest Daniel Accioly Rosa (Aug 05)
- RE: Vulnerability Assessment vs. PenTest StyleWar (Aug 06)
- RE: Vulnerability Assessment vs. PenTest Mark Ausley, CISSP (Aug 05)
- RE: Vulnerability Assessment vs. PenTest StyleWar (Aug 06)
- RE: Vulnerability Assessment vs. PenTest Sol Invictus (Aug 06)
- RE: Vulnerability Assessment vs. PenTest Arian J. Evans (Aug 21)
- RE: Vulnerability Assessment vs. PenTest Sol Invictus (Aug 05)
- RE: Vulnerability Assessment vs. PenTest Mark Ausley, CISSP (Aug 04)