Penetration Testing mailing list archives
RE: Vulnerability vs. Pen test
From: "Nick Vaernhoej" <nick.vaernhoej () capitalcardservices com>
Date: Fri, 24 Apr 2009 08:15:53 -0500
James, My question would be, how do you think Nessus can be considered a penetration test? A penetration test is not "a tool". A penetration test is an arsenal of tools combined with technical expertise of the wielder of the tools. A penetration test is having someone with a knack for finding mis-configurations and oversights in your infrastructure take a peek and see what he/she can find. Can Nessus be part of this? Absolutely, but it doesn't make a penetration test by itself. Nick "If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology." --Bruce Schneier -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of jlay () slave-tothe-box net Sent: Wednesday, April 22, 2009 3:42 PM To: pen-test () securityfocus com Subject: Vulnerability vs. Pen test So part of PCI DSS requirements are for a quarterly vulnerability assessment, and a yearly pentest. My question is: is Nessus considered just a vulnerability scanning app? Thanks. James This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged, confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please notify the sender that this message was received in error and then delete this message. Thank you. ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Tired of using other people's tools? Why not learn how to write your own exploits? InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well. http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- Vulnerability vs. Pen test jlay (Apr 23)
- Re: Vulnerability vs. Pen test Ulises2k (Apr 23)
- Re: Vulnerability vs. Pen test Jeffrey Walton (Apr 26)
- RE: Vulnerability vs. Pen test Nick Vaernhoej (Apr 26)
- Re: Vulnerability vs. Pen test R. DuFresne (Apr 26)
- Re: Vulnerability vs. Pen test James Lay (Apr 26)
- Re: Vulnerability vs. Pen test bartlettNSF (Apr 27)
- RE: Vulnerability vs. Pen test James W. Beers (Apr 30)