Re: What a security test should do?- from thinking about: Ethical Hacking Training

[Frank Knobbe <frank () knobbe us>]

On Fri, 2004-01-23 at 14:32, Pete Herzog wrote:
> What does a pen test fail to provide?
>
> I had to think about this for a little while because it's not so much
> to me
> what someone needs to know to be a security manager, CISO, or security
> consultant, but rather what do we expect from a security test?
>
> I know what pen-tests have been used for but I think a lot of that is
> also
> under-analyzing the results of a pen-tset.  As an auditor of pen-test
> reports for some companies, I see many of these reports focusing on
> software
> vulnerabilities, 


Pete,

could it be that they are confusing Penetration Tests with Vulnerability
Assessments or Security Reviews? The way I see it, vuln assessments take
a broad approach, looking at things in _breadth_. It includes software,
hardware, network/app concepts and design, physical, policy, and
whatever else should be included in the scope. Pen tests on the other
hand look at things in _depth_. It is a focused effort to find the weak
points (one or a couple if time/scope permits) and penetrate existing
defenses, keeping record on what needs to be improved. 

Both serve a different purpose and have a different approach. A pen test
will most likely not find every vulnerability, while a vuln assessment
does not exploit found vulnerabilities. Vuln assessments provide a more
quantitative description of the security controls while pen tests
provide a more qualitative description.

I like the open source testing methodology, but I think it should be
split into two categories to provide two guides, one for each type of
review.

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part