Re: Pen Test vs. Health Check

["Clint Bodungen" <clint () secureconsulting com>]

> -danielrm26 wrote:

> Your methodical analysis is flawless, with one exception -- *it doesn't
> represent reality*.  Whether it's true or not from an academic
> standpoint, anyone in the field knows that vunl assessments and
> pen-tests are very distinct from eachother.  But yes, you bring good
> points. It's just that, as you noted, *should* and *is* are two
> completely different animals.

I agree, it doesn't represent reality because many in the field _don't_ view
it this way (the fundamental distinctions and the benefits of using them
together.) I didn't mean for my statement to sound definitive.  I was,
actually, trying to point out those fundamental distinctions and hopefully
provide another insight to the thread: That, instead of taking a "one or the
other" approach, they *should* be used together in a complete professional
project/package.  In fact, I've found that when you provide them together
and "embed" the pen-test in the vuln-assessment, the language and general
undertone of the "vulnerability assessment." tends to even out the client
uncertainties associated with the term "penetration testing" alone.  It
helps present it in a more professional manner, the client feels more
comfortable, the job is done *right*, and you get more "bill time" ;-)


---------------------------------------------------------------------------
----------------------------------------------------------------------------