Penetration Testing mailing list archives
Re: Is Pentesting Goal Oriented, or Coverage Oriented?
From: Chris Brenton <cbrenton () chrisbrenton org>
Date: Mon, 05 Oct 2009 06:57:36 -0400
On Fri, 2009-10-02 at 21:02 -0400, Daniel Miessler wrote:
Johannes's position is that a pentest that attains a goal, e.g. root access or a database dump, and then stops is an incomplete and poor pentest. I hold the opposite view, which is that a penetration test is, by definition, focused on achieving a specific goal, and that if the aim of testing is to find as many vulnerabilities as possible the type of test you're performing is a vulnerability assessment.
I honestly don't see a difference between your two positions. Most pentests I've seen do stop once full access is maintained. I agree with Johannes however (disclaimer: I've known Johannes for many years) that there is minimal value add to simply showing a client a single path to high level access. Think of it this way. You bring your car in to a mechanic to fix a slow leaking tire. During the replacement the mechanic notices your brakes are about to fail. Since they were only contracted to fix the tire however, they ignore the brakes and don't say anything. So while they may do a great job fixing the tire I think we can agree we would not be very happy when the car ends up wrapped around a tree. ;-) Single objective pentests are great when you need something sexy to get the attention of upper management. Long term however, they really don't make the environment anymore secure because at best only one hole is getting plugged. In the end, I think what really matters is that the client understands the deliverable. If they know the goal is any possible path to root and then the process will stop, life is cool. If they expect to get an assessment of their overall posture however, you'll end up with some unhappy clients. HTH, Chris -- www.chrisbrenton.org ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Is Pentesting Goal Oriented, or Coverage Oriented? Daniel Miessler (Oct 04)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Michal Zalewski (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Zack Payton (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Jerome Athias (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Ramki B Ramakrishnan (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Chris Griffin (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? David Howe (Oct 06)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Kevin L. Shaw, CISSP, GCIH (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Chris Brenton (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Marco Ivaldi (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Robin Wood (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Tim (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Taras (Oct 06)