Security Basics mailing list archives

Re: Vuln Scan vs. Pen Test -- WAS: Re: Penetration testing books

From: HITESH PATEL <hitesh50 () yahoo com>
Date: Fri, 2 Jan 2009 09:45:19 -0800 (PST)

my personal view is:
- security test that just use signature-based scanning engines is "vulnerability scnning"
- security test that use such scanners as starting point and takes it further for manual testing from that point is 
"penetration testing"

again this is my personal view

-HP



----- Original Message ----
From: Rodrigo Gutierrez <replugge () gmail com>
To: security-basics () securityfocus com; Jon.Kibler () aset com
Sent: Friday, January 2, 2009 7:31:56 AM
Subject: Re: Vuln Scan vs. Pen Test -- WAS: Re: Penetration testing books

Jon,
   I will have to disagree with you since i believe nessus and other
scanners are a part of the penetration test, since this scanners are
used in the information gathering process of the penetration test,
based on the information you get from these app. you decide which
vulnerability you are going to exploit in order to gain access.  I
mean you won't reinvent the wheel, before you you share your latest
0day on someone elses honney pot, you first make sure that the well
known tools are not able to find anything.

I agree that a lot of conslutants dump the reports of  a vulnerability
scanner into a document, and bill more than the vulnerability scanner
licence price for their "service" of writing the network address in a
field and making a click on the "scan" button.

But what can you do? when most of the people ordering this services
doesn't have a clue about network security or how it is done...     I
used to take the time to educate my customers, tell them what they
should expect and how the process it is done.   Now that im no longer
a consultant, some of them still call me and tell how that information
has been usefull and how many crappy conslutants are out there.

Doing a good job with a transparent methodology and well documented
reports will always make the difference, between a good and a crappy
conslutant.

Kind Regards

-- 
_____________________________

Rodrigo Gutiérrez Burgos
ITC Systems & Security Architect
_____________________________

Current thread:

Re: Vuln Scan vs. Pen Test -- WAS: Re: Penetration testing books Rodrigo Gutierrez (Jan 02)
- Re: Vuln Scan vs. Pen Test -- WAS: Re: Penetration testing books HITESH PATEL (Jan 05)