Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Why Penetration Test?

From: "Tony Tulio" <tulio () myrealbox com>
Date: Fri, 10 Jun 2005 22:10:34 -0400
I think the most useful to a business would be 'A'. But that's not because of vulnerability assessment vs. pen test. 
It's because the results address the business risk. A business needs to understand the risk of a problem, the risk of 
not doing anything about it, and the risk of taking action. These things let you focus business resources where they 
are needed the most. This should be done by the consultant, who understands the technical risks, in concert with 
business management, who understand the business risks. Exploiting a host doesn't always mean much unless you can 
demonstrate how you can exploit the data that it leads to and what that means to the business.

-----Original Message-----
From: tarunthenut () gmail com [mailto:tarunthenut () gmail com] 
Sent: Thursday, June 02, 2005 2:30 AM
To: pen-test () securityfocus com
Subject: Why Penetration Test?

I was wondering the usefulness of a penetration testing against vulnerability assessment for a company. 

Scenario A
Cosultant "A  is employed to perform a vulnerability assessment and the result is tabulated based on the business risk 
these vulnerabilities pose.

Scenario B
Cosultant "B is employed to perform a Penetration Test, discovers 10 vulnerabilities and is able to show exploit of 5 
vulnerabilities.

Scenario C
Cosultant "C" is employed to perform a Penetration Test, discovers 10 vulnerabilities and is able to show exploit of 7 
vulnerabilities.

Which scenario would have more usefulness to the company? it is ovbious that the result of a PT would depend and vary 
from skill of a consultant to another?
Previous By Date Next
Previous By Thread Next

Current thread: