Penetration Testing mailing list archives

Re: Security Audit

From: "R. DuFresne" <dufresne () sysinfo com>
Date: Wed, 5 Sep 2001 15:12:05 -0400 (EDT)


Anyone claiming that their pen test, vuln assessment, or security audit
consists merely of running nessus and or nmap and producing a reporrt and
final results is a charleton, and does the security industry a
dis-service.  Yet, I have seen, in practice, both outside consultants,
hired guns from the outside and supposedly 'trained' professionls <CISSP!> 
within the corporate sector do merely this and stamp "certified secure"
across organizations.  A "test, assessment, or audit"  are more akin to
remodeling, then ne home building and remodeling, having done lots of it
over time, I can safely state, is -=dirty work=-.  When you rip open a
wall, one is sometimes amazed, as well as disenheartened at what they find
behind the sheetrock and plaster.

Thanks,

Ron DuFresne

On Wed, 5 Sep 2001, Todd Ransom wrote:

A good estimate of time for a "Once Over" breaks down like this:

Vulnerability Assessment:
20 minutes per host

Penetration Test:
1 Hour per host


What is the difference between vuln assessment and pen test?

I have not done either but this seems like a highly subjective area to me.
Are you really going to do a vuln assess on a dynamic web site - with all
its custom scripts and database connectivity and possibly middleware - in 20
minutes?  It sounds like a vuln assess consists of running Nessus or
something similar, searching bugtraq archives and possibly throwing in a
google search for extra credit.

Even on a workstation it seems like you couldn't get much done in 20
minutes.  I don't even see how you could reliably enumerate all the
installed software in less than 20 minutes.

TR


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Re: Security Audit H Carvey (Sep 04)
- <Possible follow-ups>
- RE: Security Audit Christopher Ray (Sep 04)
- RE: Security Audit Aleksander Czarnowski (Sep 04)
- Re: Security Audit Forrest Rae (Sep 05)
  - Re: Security Audit Todd Ransom (Sep 05)
    - Re: Security Audit Bill Pennington (Sep 06)
    - Re: Security Audit Todd Ransom (Sep 06)
    - RE: Security Audit Dom De Vitto (Sep 06)
    - Re: Security Audit Forrest Rae (Sep 06)
    - Re: Security Audit R. DuFresne (Sep 06)
  - Re: Security Audit Dave Wray (Sep 06)
    - Re: Security Audit Jonathan Rickman (Sep 07)
  - Re: Security Audit Philipp Buehler (Sep 06)
    - Re: Security Audit bacano (Sep 06)
- Re: Security Audit bacano (Sep 05)
- Re: Security Audit JCovington (Sep 05)
  - Re: Security Audit bacano (Sep 06)
- RE: Security Audit PM Systems - Rick Woehler (Sep 05)
- Re: Security Audit H Carvey (Sep 06)
- RE: Security Audit Filer, Eddie (ZA - Johannesburg) (Sep 06)

(Thread continues...)