Penetration Testing mailing list archives
Re: Why Penetration Test?
From: Jim Geovedi <jim () geovedi com>
Date: Tue, 14 Feb 2006 20:33:13 +0700
Gareth Davies <gareth.davies () mynetsec com> wrote:
IMHO a full pen-test consists of a VA but it goes one step further, into the realm of actually confirming the exploits will work (as an example, sendmail is often pegged as being vulnerable, but many OS's update the service without changing the banner, so according to the banner it's vulnerable, in reality it's not).
I agree. Many people (the clients) still don't understand the term of pentest & VA. In the end, it doesn't really matter for them since what they need is "just" a security assurance. For pentest, we give our testing policy and explain that we take on the _attackers' perspective_, actively aiming to exploit and compromise the targets by using known and/or unknown (0-day) vulnerabilities. ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Why Penetration Test? Jim Geovedi (Feb 15)