Re: Security Audit

[Forrest Rae <forrest () code-lab com>]

Hi Todd,

You bring up some very good questions:  :-)  When I say vulnerability
assessment, I should have added "Automated" to the beginning.

> What is the difference between vuln assessment and pen test?

IMHO: It's a fine line between assessing possible access points and
entering access points.

> I have not done either but this seems like a highly subjective area to me.

Agreed

> Are you really going to do a vuln assess on a dynamic web site - with all
> its custom scripts and database connectivity and possibly middleware - in 20
> minutes?  

I mentioned "Once Over" for a reason.  :P  This is just a base to work
from.  Some customers want a view of 30,000 feet, some want a 100 feet.

> It sounds like a vuln assess consists of running Nessus or
> something similar, searching bugtraq archives and possibly throwing in a
> google search for extra credit.

Yes, that is basically one way you can accomplish it.  Nessus is a great
tool when used properly can accomplish wonderful things.  (Baby Sit
Children, Leap Tall Buildings, etc :-P )  Although, I wouldn't recommend
giving customers canned nessus reports.  ;-)

> Even on a workstation it seems like you couldn't get much done in 20
> minutes.  I don't even see how you could reliably enumerate all the
> installed software in less than 20 minutes.

Are you going to really enumerate all installed software without
penetrating the computer?  

-Forrest

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/