Penetration Testing mailing list archives
Re: Why Penetration Test?
From: Pete Herzog <lists () isecom org>
Date: Mon, 13 Jun 2005 19:08:06 +0200
I was under the impression a successful pen-test would map the paths of attack and not just to verify attacks are possible. Verification is required in vulnerability assessments to clean up false positives and reintroduce tests where analysis has determined the possibility of false negatives. Vuln testing is not about determining patches/fixes - for that, the good ol' sys admin could set his systems to DL and install all patches, failing where one is already installed. A vuln tested isn't needed for that. Patch is not the opposite of Vulnerability. Vuln tests are for determining parts of a vulnerable network so the analysis can focus on "why" or "whatever". A pen test is about creatively (and methodically) determining new avenues of attack, new paths to expolit, and new tricks to pull from sleeves. This pen tester thinks in new ways and can change the rules of the game in new ways that the defensive folks haven't thought about yet. The zero day and social engineering are such a clever and valid tools for the pen tester for exactly this reason-- they nullify what the Defense thought they had as solid gridiron, hitting their underground shelter like a bomb that can burrow. It says, "hey there, how are ya, didn't think about your defenses from here because ya didn't think I could get here, did ya?" But they aren't valid tools for the vuln tester. Therefore, a pen test is only as good as the tester, the tester's tools, the tester's support group, and in part on the tester's good night sleep. Somewhere it changed into this vuln assessment support group stuff because hacking like a hacker was made to look so powerful and cool (cause it is) that everyone wanted to say they could do it and actually started to believe they could do it because they changed the definition of it. But that's like saying everyone can be a great artist when it's clearly not true because the delivery is so subjective. But selling vuln tests as pen tests is a valid marketing tick because it poduces valid income. Right? Regardless, in our industry each has its place in an assessment if the client's goals are met. But then since when does the client know more about security then the security professional? Imagine the accountant who balances the books because that's what the client wants but doesn't adhere to professional, ethical, and integral accounting practices? Wait, don't imagine, just read almost any newspaper from the last 5 years. And it's happening in our industry now all the time. Why Pen Test? Because it's maybe the right answer to the right question. But ya gotta figure out both the question and the answer for yourself. -pete.
Current thread:
- Re: Why Penetration Test?, (continued)
- Re: Why Penetration Test? Gareth Davies (Jun 13)
- Re: Why Penetration Test? Tarun The Nut (Jun 14)
- Re: Why Penetration Test? Gareth Davies (Jun 14)
- Re: Why Penetration Test? intel96 (Jun 16)
- AW: Why Penetration Test? Jörg Maaß (Jun 16)
- Re: Why Penetration Test? R. DuFresne (Jun 16)
- Re: Why Penetration Test? rmeijer (Jun 17)
- Message not available
- Re: Why Penetration Test? Pete Herzog (Jun 16)
- RE: Why Penetration Test? Erin Carroll (Jun 16)
- Re: Why Penetration Test? Gareth Davies (Jun 13)
- Re: Why Penetration Test? Pete Herzog (Jun 13)
- Re: Why Penetration Test? intel96 (Jun 30)