Penetration Testing mailing list archives

Re: Vulnerability Assessment vs. PenTest

From: Gareth Davies <gareth.davies () mynetsec com>
Date: Tue, 08 Aug 2006 11:49:28 +0800

James Harless wrote:

Where is the line between a Vulnerability Assessment and a PenTest?  In
other words, which tests do you run which identifies your assessment as
a pentest rather than a VA?And, related, do VAs still have value? Do you feel that a PenTest
includes everything that a VA would (and more)?
My thoughts are that a VA is just an effort to document all the
identified and potential vulnerabilities on a network.  A PenTest is an
attempt to identify those vulnerabilities and then exploit some of them
to verify their weakness.
James

I saw a decent article on this a while ago, it's a little short andcould be expanded but it seems to be about right.


http://www.darknet.org.uk/2006/04/penetration-testing-vs-vulnerability-assessment/

--
Gareth Davies - ISO 27001 LA, OPST

Manager - Security Practice

Network Security Solutions MSC Sdn. Bhd.
Suite E-07-21, Block E, Plaza Mont' Kiara, No. 2 Jalan Kiara,
Mont’ Kiara, 50480

Kuala Lumpur, MalaysiaPhone: +603-6203 5303 or +603-6203 5920


www.mynetsec.com


------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?Why not go with the #1 solution - Cenzic, the only one to win the Analyst'sChoice Award from eWeek. As attacks through web applications continue to rise,you need to proactively protect your applications from hackers. Cenzic has themost comprehensive solutions to meet your application security penetrationtesting and vulnerability management needs. You have an option to go with amanaged service (Cenzic ClickToSecure) or an enterprise software(Cenzic Hailstorm). Download FREE whitepaper on how a managed service canhelp you: http://www.cenzic.com/news_events/wpappsec.phpAnd, now for a limited time we can do a FREE audit for you to confirm yourresults from other product. Contact us at request () cenzic com for details.

------------------------------------------------------------------------------

Current thread:

RE: Vulnerability Assessment vs. PenTest, (continued)
- RE: Vulnerability Assessment vs. PenTest Mark Ausley, CISSP (Aug 04)
  - RE: Vulnerability Assessment vs. PenTest Sol Invictus (Aug 05)
    - RE: Vulnerability Assessment vs. PenTest StyleWar (Aug 05)
    - RE: Vulnerability Assessment vs. PenTest Daniel Accioly Rosa (Aug 05)
    - RE: Vulnerability Assessment vs. PenTest StyleWar (Aug 06)
    - RE: Vulnerability Assessment vs. PenTest Mark Ausley, CISSP (Aug 05)
    - RE: Vulnerability Assessment vs. PenTest StyleWar (Aug 06)
    - RE: Vulnerability Assessment vs. PenTest Sol Invictus (Aug 06)
    - RE: Vulnerability Assessment vs. PenTest Arian J. Evans (Aug 21)
- Re: Vulnerability Assessment vs. PenTest Hylton Conacher(ZR1HPC) (Aug 06)
- Re: Vulnerability Assessment vs. PenTest Gareth Davies (Aug 07)
- Re: Vulnerability Assessment vs. PenTest Bob Radvanovsky (Aug 04)
  - Re: Vulnerability Assessment vs. PenTest Alice Bryson <abryson () bytefocus com> (Aug 05)
    - Re: Vulnerability Assessment vs. PenTest Arkem Paul (Aug 05)
    - Re: Vulnerability Assessment vs. PenTest Christine Kronberg (Aug 06)
    - RE: Vulnerability Assessment vs. PenTest Richard Feist (Aug 07)
    - Re: Vulnerability Assessment vs. PenTest xelerated (Aug 07)
    - Re: Vulnerability Assessment vs. PenTest Magdelin Tey (Aug 07)
    - RE: Vulnerability Assessment vs. PenTest StyleWar (Aug 08)
- RE: Vulnerability Assessment vs. PenTest Bob Radvanovsky (Aug 06)
  - RE: Vulnerability Assessment vs. PenTest Omar A. Herrera (Aug 07)

(Thread continues...)