Re: Is Pentesting Goal Oriented, or Coverage Oriented?

[Robin Wood <dninja () gmail com>]

2009/10/3 Daniel Miessler <daniel () danielmiessler com>:
> Greetings List,
>
> I'm having a discussion with Johannes Ullrich via the SANS Application
> Security Streetfighter Blog on whether penetration testing is goal or
> coverage oriented.
>
> Johannes's position is that a pentest that attains a goal, e.g. root access
> or a database dump, and then stops is an incomplete and poor pentest. He
> believes a good pentester should continue finding as many vulnerabilities as
> he can.
>
> I hold the opposite view, which is that a penetration test is, by
> definition, focused on achieving a specific goal, and that if the aim of
> testing is to find as many vulnerabilities as possible the type of test
> you're performing is a vulnerability assessment.
I'd agree with Johannes, if you find one hole then stop then you are
leaving a job half done and the client doesn't get what they've paid
for. What happens when they've fixed that bug, do they have to go back
to the tester and start the whole process again? On a poor system that
approach could take a long time.

The difference between vulnerability scanning is how far you go once
you find an issue, vulnerability scanning just reports that there is
an issue there, penetration testing actually tries to exploit that.

Robin

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------