Re: Why Penetration Test?

[Jim Geovedi <jim () geovedi com>]

Gareth Davies <gareth.davies () mynetsec com> wrote:
> IMHO a full pen-test consists of a VA but it goes one step further, into 
> the realm of actually confirming the exploits will work (as an example, 
> sendmail is often pegged as being vulnerable, but many OS's update the 
> service without changing the banner, so according to the banner it's 
> vulnerable, in reality it's not).

I agree.

Many people (the clients) still don't understand the term of pentest & VA.
In the end, it doesn't really matter for them since what they need is
"just" a security assurance.

For pentest, we give our testing policy and explain that we take on the
_attackers' perspective_, actively aiming to exploit and compromise the
targets by using known and/or unknown (0-day) vulnerabilities.



------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------