Penetration Testing mailing list archives
Re: Why Penetration Test?
From: Rob Havelt <rob () cobal org>
Date: Sat, 11 Jun 2005 03:30:11 -0400
I'd submit that these scenarios offer very different data sets, meant to address two distinctly different concerns within an organization. Put simply, they answer different questions. (I'm assuming the most common definitions of VA and PT here - as the meaning of "Vulnerability Assessment" varies wildly from organization to organization).
But given that scenario A, and B/C would produce different data they can both be useful, and they both answer a specific question. How useful they are would depend almost solely on the data that is most needed by the organization commissioning the test at that point in time.
So I'd further submit that real value that a consultant can add to the process is to help the organization understand the subtile differences, and identify the real questions that they need answered. For example - has the organization in question started to look at threats in the context of risk to the business, end to end security for business processes, and so on... perhaps they have done this extensively, and as a result of this they've decided to put security to the test. In this case, scenario A wouldn't be answering the question. But perhaps the organization has not taken a realistic look at the business in terms of risk. They are not aware of all the threats, and they don't have a plan in place. Scenario A might provide some real value this this case, possibly more than B or C.
so I guess my answer to this would be a big "it depends on the company", but it really does - not every organization is at the same point in the security cycle. The most useful thing would be to try to understand where the organization is, and possibly to help them understand where they are right out of the gate.
-Rob At 06:29 AM 6/2/2005 +0000, you wrote:
I was wondering the usefulness of a penetration testing against vulnerability assessment for a company.Scenario ACosultant "A is employed to perform a vulnerability assessment and the result is tabulated based on the business risk these vulnerabilities pose.Scenario BCosultant "B is employed to perform a Penetration Test, discovers 10 vulnerabilities and is able to show exploit of 5 vulnerabilities.Scenario CCosultant "C" is employed to perform a Penetration Test, discovers 10 vulnerabilities and is able to show exploit of 7 vulnerabilities.Which scenario would have more usefulness to the company? it is ovbious that the result of a PT would depend and vary from skill of a consultant to another?
Current thread:
- Why Penetration Test? tarunthenut (Jun 10)
- Re: Why Penetration Test? Terry Vernon (Jun 10)
- RE: Why Penetration Test? Erin Carroll (Jun 10)
- Re: Why Penetration Test? Brahman Thiyagalingham (Jun 10)
- Re: Why Penetration Test? cbc (Jun 10)
- Re: Why Penetration Test? Daniel Reynaud-Plantey (Jun 11)
- Re: Why Penetration Test? Amit (Jun 12)
- Re: Why Penetration Test? cbc (Jun 10)
- Re: Why Penetration Test? Rob Havelt (Jun 11)
- Re: Why Penetration Test? Petr . Kazil (Jun 11)
- Re: Why Penetration Test? Matt Curtin (Jun 20)
- <Possible follow-ups>
- RE: Why Penetration Test? DUBRAWSKY, IDO (CALLISMA) (Jun 10)
- RE: Why Penetration Test? Tony Tulio (Jun 10)
- Re: Re: Why Penetration Test? tarunthenut (Jun 13)
- Re: Why Penetration Test? Terry Vernon (Jun 13)
- Re: Why Penetration Test? Gareth Davies (Jun 13)
- Re: Why Penetration Test? Tarun The Nut (Jun 14)
- Re: Why Penetration Test? Gareth Davies (Jun 14)
- Re: Why Penetration Test? intel96 (Jun 16)