Penetration Testing mailing list archives

Re: Security Audit

From: "Todd Ransom" <transom () extremelogic com>
Date: Wed, 5 Sep 2001 13:11:40 -0400

A good estimate of time for a "Once Over" breaks down like this:

Vulnerability Assessment:
20 minutes per host

Penetration Test:
1 Hour per host


What is the difference between vuln assessment and pen test?

I have not done either but this seems like a highly subjective area to me.
Are you really going to do a vuln assess on a dynamic web site - with all
its custom scripts and database connectivity and possibly middleware - in 20
minutes?  It sounds like a vuln assess consists of running Nessus or
something similar, searching bugtraq archives and possibly throwing in a
google search for extra credit.

Even on a workstation it seems like you couldn't get much done in 20
minutes.  I don't even see how you could reliably enumerate all the
installed software in less than 20 minutes.

TR


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Re: Security Audit H Carvey (Sep 04)
- <Possible follow-ups>
- RE: Security Audit Christopher Ray (Sep 04)
- RE: Security Audit Aleksander Czarnowski (Sep 04)
- Re: Security Audit Forrest Rae (Sep 05)
  - Re: Security Audit Todd Ransom (Sep 05)
    - Re: Security Audit Bill Pennington (Sep 06)
    - Re: Security Audit Todd Ransom (Sep 06)
    - RE: Security Audit Dom De Vitto (Sep 06)
    - Re: Security Audit Forrest Rae (Sep 06)
    - Re: Security Audit R. DuFresne (Sep 06)
  - Re: Security Audit Dave Wray (Sep 06)
    - Re: Security Audit Jonathan Rickman (Sep 07)
  - Re: Security Audit Philipp Buehler (Sep 06)
    - Re: Security Audit bacano (Sep 06)
- Re: Security Audit bacano (Sep 05)

(Thread continues...)