Penetration Testing mailing list archives
Re: Penetration Testing Services
From: MAlMozaiyn () alfransi com sa
Date: Sun, 8 Aug 2010 14:36:08 +0300
Hi there,
Tools, like Nessus, are vulnerability-oriented. They can point at
vulnerabilities. Of course, in some cases these are only false-positives.
However, what you need to be aware of is not "only" vulnerabilities. This
needs to be extended to cover Risks.
What a third-party MUST provide is a risk-driven report that shows real
vulnerabilities in your systems and are very relevant to your environment
and makes sense to be fixed.
In addition to the above, penetration testing process is not limited to
scanning the network. As the name indicates, it is to potentially attempt
to penetrate resources for testing (assessment) purposes.
To conclude, Nessus, as well as other tools are a great additions to the
penetration testing practice. It is not the full picture, and at the same
time, missing these factors is a noticeable depreciation.
Have a good day,
Mohammed Almozaiyn, CISSP, GCIH
Senior Security Analyst
———————————————————
* malmozaiyn () alfransi com sa
———————————————————
From: cribbar <crib.bar () hotmail co uk>
To: pen-test () securityfocus com
Date: 03-08-2010 09:23 AM
Subject: Penetration Testing Services
Sent by: listbounce () securityfocus com
Penetration Testing Community - I am interested in getting an expert
response
to a discussion that keeps raising up in our company.
First off, I have some basic IT/Infrastructure knowledge, but I am most
definitely not up to the level of a penetration tester (please bare this in
mind with your responses).
Basically, our company has an internal IT Security section, who has
recently
purchased some of the popular vulnerability assessment software such as
Nessus. They are running quarterly scans using Nessus across an IP range
and
producing a report to senior management on the types of security holes in
the Network and how they can be fixed (and more importantly to management
how much it is going to cost to fix).
I’ve spent a couple of hours on the Nessus website looking at the types of
“vulnerability” it will catch, and it seems to cover a whole array of
topics
and security issues. This leads to the inevitable comment from senior
management, if we have an IT Security section who are using the most common
vulnerability scanning / penetration testing tools –what is the point in
investing significant $$$ in buying in a 3rd party to do exactly the same?
I fully appreciate that penetration testing is an area of high skill, as a
3rd party you provide an independent neutral security review, it takes
years
to master the topic, and once mastered you need to stay up to date with all
the current vulnerabilities and exploits, and it is your guy’s area of
expertise, whereas a security admin is not specific to penetration testing.
And let’s be honest, anyone can essentially download a user friendly piece
of software and click “scan” or whatever and produce a report listing
problems.
However, in order to be in defence of the pen testing community during such
discussions, I have a few questions….
• How do you as penetration testers, portray the importance of this
independent check to future potential clients? Is this independence really
that important?
• What broadly speaking do you as professional penetration testers bring
additional to a nessus scan during the services you provide? If there are
categories of security issues/vulnerabilities that you can flag up doing
one
of your penetration tests that Nessus wont - that would be incredibly
useful
to know, and I’d love to be able to identify the limitations of Nessus
scans
but I am a bit out of my depth to be able to do so.
• I trawled through the archives of this forum and others, and it seems
some
pen testing companies use the exact same tools such as nmap and nessus, and
in some cases simply pass across a Nessus report for a specific IP range
and
that’s the report they use. This to me sounds a complete rip off, and I
can’t see the benefit. So where is the added benefit in having an internal
security guy run nessus, and paying a 3rd party pen tester x amount of $$$
money to do exactly the same? Why not just stick with the internal guy? Or
am I missing something? I really would appreciate real examples of whereby
just running Nessus is simply not enough as it wont catch a, b and c!
I look forward to your comments.
--
View this message in context:
http://old.nabble.com/Penetration-Testing-Services-tp29324189p29324189.html
Sent from the Penetration Testing mailing list archive at Nabble.com.
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a
full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
Current thread:
- Re: Penetration Testing Services, (continued)
- Re: Penetration Testing Services k.x86 (Aug 03)
- Re: Penetration Testing Services Robin Wood (Aug 03)
- RE: Penetration Testing Services Jason Hurst (Aug 03)
- Re: Penetration Testing Services Andre Gironda (Aug 03)
- Re: Penetration Testing Services Richard Miles (Aug 16)
- RE: Penetration Testing Services Mathew Sealy (Aug 03)
- Message not available
- Re: Penetration Testing Services Jonathan Leigh (Aug 03)
- Re: Penetration Testing Services BMF (Aug 03)
- Re: Penetration Testing Services Todd Hughes (Aug 03)
- RE: Penetration Testing Services Hugo V. Garcia R. (Aug 03)
- Re: Penetration Testing Services MAlMozaiyn (Aug 08)
- RE: Penetration Testing Services Khalid Lakdawala (Aug 12)
- Re: Penetration Testing Services cribbar (Aug 12)