Penetration Testing mailing list archives
RE: Vulnerability vs. Pen test
From: "James W. Beers" <james.beers () backbonesecurity com>
Date: Wed, 29 Apr 2009 09:37:27 -0400
James, You will need more than just a collection of tools to successfully perform a penetration test. You will also need a methodology. A good place to start is Open Source Security Testing Methodology Manual or OSSTMM. The PCI Council has also released Information Supplement for 11.3 which better details what merchants can expect from a penetration test. Remember..."If internal resources are being used to perform the penetration tests, those resources must be experienced penetration testers. The individuals performing the penetration testing should be organizationally separate from the management of the environment being tested. For example, the firewall administrator should not perform the firewall-penetration testing." Hope this helps, Jim -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of James Lay Sent: Sunday, April 26, 2009 10:59 AM To: pen test Subject: Re: Vulnerability vs. Pen test
So part of PCI DSS requirements are for a quarterly vulnerability assessment, and a yearly pentest. My question is: is Nessus
considered
just a vulnerability scanning app? Thanks. James
Thanks for all the feedback on this. Guess my next question then is what type of apps does one use to pen test windows boxes and routers and switches? I've seen a lot of sql pen test and web pen test stuff here, but not much for the Windows and router/switches. Thanks again all. James ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Tired of using other people's tools? Why not learn how to write your own exploits? InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well. http://www.infosecinstitute.com/courses/advanced_ethical_hacking_trainin g.html ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Tired of using other people's tools? Why not learn how to write your own exploits? InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well. http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- Vulnerability vs. Pen test jlay (Apr 23)
- Re: Vulnerability vs. Pen test Ulises2k (Apr 23)
- Re: Vulnerability vs. Pen test Jeffrey Walton (Apr 26)
- RE: Vulnerability vs. Pen test Nick Vaernhoej (Apr 26)
- Re: Vulnerability vs. Pen test R. DuFresne (Apr 26)
- Re: Vulnerability vs. Pen test James Lay (Apr 26)
- Re: Vulnerability vs. Pen test bartlettNSF (Apr 27)
- RE: Vulnerability vs. Pen test James W. Beers (Apr 30)