RE: Penetration testing report,

[Walter Lamagna <wlamagna () tenroses com ar>]

One thing is penetration testing and another is vulnerability scanning.
Sometimes the administrator or manager needs an exploit that exposes the
vulnerability to agree in investing time and money in security, without
the proove (exploit) they do not give security the importance it
deserves.

When you do a penetration test you have to tell the client that some
services could get down, you have to agree a time to do the tests and
have the authorization for this.  The vulnerability scanning does has
this risk too, but lowerer.

Thanks
Walter


On Sun, 2006-09-10 at 11:46 +1000, IRM wrote:
> I would argue that 80% of the cases we found that there is a
> vulnerability exist in the system but we couldn't exploit them because
> there in no public exploit around. What would you do about it? I mean it
> is easy to say that this code is buggy and to patch it but whether we
> can exploit them or not is another thing.
>
> What do you guys think?
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of venkataramanan.as () gmail com
> Sent: Saturday, September 09, 2006 9:55 PM
> To: security-basics () securityfocus com
> Subject: Re: Penetration testing report,
>
> John,
>
>
> Scanning and patch assessment is just vulnerability assessment.
> Penetration testing is one step ahead of this where the vulnerabilities
> identified in vulnerability assessment are exploited for
> proof-of-concept. For more detailed testing methodology you can refer
> methodology document released by ISECOM (www.isecom.org). This document
> helps you to some extent to understand what a penetration testing report
> should contain.
>
>
> Just my 2c.
>
> ------------------------------------------------------------------------
> ---
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic
> Excellence 
> in Information Security. Our program offers unparalleled Infosec
> management 
> education and the case study affords you unmatched consulting
> experience. 
> Using interactive e-Learning technology, you can earn this esteemed
> degree, 
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ------------------------------------------------------------------------
> ---
>
> ---------------------------------------------------------------------------
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic Excellence 
> in Information Security. Our program offers unparalleled Infosec management 
> education and the case study affords you unmatched consulting experience. 
> Using interactive e-Learning technology, you can earn this esteemed degree, 
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------
-- 
Walter Lamagna
Ten Roses Buenos Aires
+54.11.4372.2250/2949
Ext.31


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------