Penetration Testing mailing list archives
RE: Vulnerability Assessment vs. PenTest
From: "Arian J. Evans" <arian.evans () anachronic com>
Date: Sun, 20 Aug 2006 18:01:31 -0500
This thread sure went on a long time without covering the second noun in the subject. ***Penetration Test*** "You don't need to penetrate to verify" is a tired, lame excuse sold by insufficiently skilled or incompetent testers for a "penetration test". Marcus Ranum made better arguments against penetration tests years ago, but they do not hold water any more than equivocating about this discussion by asking "did the bear soil the woods if no one heard him?" questions. ***Defect Detection*** Simply observe the world of manufacturing. Items requiring rigorous levels of tolerance, say splines or blades in a jet engine, undergo an array of defect detection mechanisms, from liquid UV tests to hand inspection to finally, spinning the assembled engine up and putting it under load. Explore and verify. You don't just audit the design or analyze the documented process that the spline groover follows, or her historical trend of consistently following a documented process to create splines. A penetration test is simply one verification mechanism in the poorly defined toolkit we have at our disposal to verify security posture. A penetration test is analogous to spinning up the engine and putting it under load. ***Not Defect Detection*** It ain't a pen test if no one tries to penetrate. There is NO other definition here without playing rhetorical games that best belong in a scanner marketing slick. You DO NOT KNOW what is under the hood unless you check. The bottom line is that "penetration not needed" is sold as an excuse for lack of depth, ability, and knowledge. ***Don't confuse the Pen with the Tester*** There are technically skilled, but business and risk myopic pen testers that cannot communicate or contextualize technical results in a meaningful manner. We aren't talking about that. We are talking about the act of exploration & verification, which is essential. Whilst CS Lewis-style equivocation is clever, there is a sharp difference between penetration testing and any other noun in related security assessment verbiage. Whether or not the act of penetration is detected, stopped, spoiled, soiled, or stymied, it is undertaking the actions of exploration and verification that counts. Anything else is...well...not "penetration testing", no matter how rigorously you write about it. Arian J. Evans
-----Original Message----- From: StyleWar [mailto:stylewar () cox net] Sent: Sunday, August 06, 2006 11:26 AM To: sol () haveyoubeentested org Cc: pen-test () securityfocus com Subject: RE: Vulnerability Assessment vs. PenTest So - by your logic - if you bring a bangin sharp pen-tester in, and he's caught and his ingress methods are mitigated while still in the footprinting stage, that a pen-test did not actually occur... is that it? Or -- if physical security is 'pen-tested' and the tester is caught in the parking lot without credentials... no pen test existed or occurred eh? Quit trying to convince yourself of your own dogma and read for comprehension. Sol wrote:In the hands of a good pen tester, a pen test does NOThave to exploitvulnerabilities in order to achieve its value proposition.If there's no verification of the vulnerabilities usingexploits then it's not a Penetration test. What part of >penetration don't you understand? Anything less is a Vulnerability assessment. Period. ----------------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------
Current thread:
- Vulnerability Assessment vs. PenTest James Harless (Aug 04)
- RE: Vulnerability Assessment vs. PenTest Mark Ausley, CISSP (Aug 04)
- RE: Vulnerability Assessment vs. PenTest Sol Invictus (Aug 05)
- RE: Vulnerability Assessment vs. PenTest StyleWar (Aug 05)
- RE: Vulnerability Assessment vs. PenTest Daniel Accioly Rosa (Aug 05)
- RE: Vulnerability Assessment vs. PenTest StyleWar (Aug 06)
- RE: Vulnerability Assessment vs. PenTest Mark Ausley, CISSP (Aug 05)
- RE: Vulnerability Assessment vs. PenTest StyleWar (Aug 06)
- RE: Vulnerability Assessment vs. PenTest Sol Invictus (Aug 06)
- RE: Vulnerability Assessment vs. PenTest Arian J. Evans (Aug 21)
- RE: Vulnerability Assessment vs. PenTest Sol Invictus (Aug 05)
- RE: Vulnerability Assessment vs. PenTest Mark Ausley, CISSP (Aug 04)
- <Possible follow-ups>
- Re: Vulnerability Assessment vs. PenTest Bob Radvanovsky (Aug 04)
- Re: Vulnerability Assessment vs. PenTest Alice Bryson <abryson () bytefocus com> (Aug 05)
- Re: Vulnerability Assessment vs. PenTest Arkem Paul (Aug 05)
- Re: Vulnerability Assessment vs. PenTest Christine Kronberg (Aug 06)
- RE: Vulnerability Assessment vs. PenTest Richard Feist (Aug 07)
- Re: Vulnerability Assessment vs. PenTest xelerated (Aug 07)
- Re: Vulnerability Assessment vs. PenTest Magdelin Tey (Aug 07)
- Re: Vulnerability Assessment vs. PenTest Alice Bryson <abryson () bytefocus com> (Aug 05)
- RE: Vulnerability Assessment vs. PenTest StyleWar (Aug 08)