Penetration Testing mailing list archives
RE: Penetration Testing Methodologies
From: "rzaluski" <rzaluski () ivolution ca>
Date: Tue, 14 Dec 2004 20:17:34 -0500
A good place to start is the OSSTMM. You can locate it at : http://www.isecom.org/osstmm/ I'm sure you will get a lot of posts to this site from members of this list. As for automated tools, they are valuable as part of a Pen Test but not a replacement for it. People have different 'views' on what a VA is and what a Pen Test is. They are not the same, in our Penetration Testing course we teach the OSSTMM methodology which provides the security tester a very good guideline in which to do the test. Some people use part of the OSSTMM or all of it. Other companies use their home grown methodology. The important thing is to have a methodology / plan in place. An Audit can be something as simple as putting a checkmark beside a column that says: Do you use SSL for web enabled Email? Yes - No? A Penetration test actively interrogates the Target organization, its presence, it has a set scope and what tests are to be run, when, where and how. That's where the Methodology comes into play. The OSSTMM has templates that help the security tester in this area. This allows things to be covered off and not left out of a test. A lot also depends on the scope of the project and costs associated. I Hope that helps Richard Zaluski, CCNA, CRCP CISO, Security and Infrastructure Services iVolution Technologies Incorporated 905.309.1911 866.601.4678 905.524.8450 (Pager) www.ivolution.ca rzaluski () ivolution ca -----Original Message----- From: Adriel T. Desautels [mailto:atd () secnetops com] Sent: Tuesday, December 14, 2004 11:20 AM To: pen-test () securityfocus com Subject: Penetration Testing Methodologies -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings List, I am interested in collecting ideas as to what people feel an ideal penetration test is. What does the ideal methodology look like and what are the goals? I am asking you this because I have been running into interesting issues in certain markets. It would appear that some people view penetration tests as nothing more then basic network vulnerability audits while others view a penetration test for what it is, a test designed to compromise target systems as PoC of vulnerability. How do people feel about the use of automated tools and the weights of their results? What about manual or custom testing? We have our own methodology that we use for testing our client networks, but I am always interested in learning what else might be done. I'd be happy to engage anyone in a conversation about this subject. Regards, Adriel T. Desautels Secure Network Operations, Inc. ----------------------------------------- Office: 978-263-3829 Cell: 978-697-2946 http://www.secnetops.com CAUTION: The information contained in this mail message is confidential and may be legally privileged. No confidentiality or privilege is waived or lost by any mistransmission. If the reader of this message is not the intended recipient, you are hereby notified that any use, dissemination, or reproduction of this message is prohibited. If you have received this message in error please notify the sender immediately by email and destroy the original message. Thank you -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 Comment: http://www.secnetops.com iQA/AwUBQb8SQ7R5YB3MHZrzEQIs4QCgh/nnbznNp7MgI8lBTWQfCr+xlTkAn1yk ZZu2wdM22W3VbqMr2HF2obEx =DQTm -----END PGP SIGNATURE-----
Current thread:
- Penetration Testing Methodologies Adriel T. Desautels (Dec 14)
- RE: Penetration Testing Methodologies rzaluski (Dec 15)
- <Possible follow-ups>
- Re: Penetration Testing Methodologies Erik Pace Birkholz (Dec 15)