Penetration Testing mailing list archives

RE: Vulnerability vs. Pen test

From: "Nick Vaernhoej" <nick.vaernhoej () capitalcardservices com>
Date: Fri, 24 Apr 2009 08:15:53 -0500

James,


My question would be, how do you think Nessus can be considered a penetration test?

A penetration test is not "a tool". A penetration test is an arsenal of tools combined with technical expertise of the 
wielder of the tools.
A penetration test is having someone with a knack for finding mis-configurations and oversights in your infrastructure 
take a peek and see what he/she can find.
Can Nessus be part of this? Absolutely, but it doesn't make a penetration test by itself.

Nick

"If you think technology can solve your security problems, then
you don't understand the problems and you don't understand the technology."
  --Bruce Schneier


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of jlay () slave-tothe-box net
Sent: Wednesday, April 22, 2009 3:42 PM
To: pen-test () securityfocus com
Subject: Vulnerability vs. Pen test

So part of PCI DSS requirements are for a quarterly vulnerability
assessment, and a yearly pentest.  My question is:  is Nessus considered
just a vulnerability scanning app?  Thanks.

James


This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged, 
confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby 
notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in 
reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please 
notify the sender that this message was received in error and then delete this message.
Thank you.

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Tired of using other people's tools? Why not learn how to write your own exploits?
InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for 
Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well.

http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html
------------------------------------------------------------------------

Current thread:

Vulnerability vs. Pen test jlay (Apr 23)
- Re: Vulnerability vs. Pen test Ulises2k (Apr 23)
- Re: Vulnerability vs. Pen test Jeffrey Walton (Apr 26)
- RE: Vulnerability vs. Pen test Nick Vaernhoej (Apr 26)
- Re: Vulnerability vs. Pen test R. DuFresne (Apr 26)
- Re: Vulnerability vs. Pen test James Lay (Apr 26)
  - Re: Vulnerability vs. Pen test bartlettNSF (Apr 27)
  - RE: Vulnerability vs. Pen test James W. Beers (Apr 30)