Re: They will protect me (won't they?)

["Adriel T. Desautels" <ad_lists () netragard com>]

Woha...

First, it sounds like there is a definition problem.  Why are people  
always so unclear about definitions in this industry?

So lets start with two basic definitions:

Vulnerability Assessment:  An assessment of a target for the purposes  
of identifying weaknesses or risks in the target without ever  
attempting to penetrate or exploit those weaknesses. (white-box or  
black-box)

Penetration Test: An assessment of a target for the purposes of  
identifying weaknesses or risks in the target and includes attempted  
penetration or exploitation of those weaknesses. (white-box or black- 
box)

When you start talking about white-box or black-box testing those are  
methods for augmenting a penetration test or a vulnerability  
assessment and those services can be either black or white.  There are  
potentially endless ways to augment the testing.

With respect to your comment, an auditor will never, ever be able to  
produce the same results as a penetration tester. If the auditor does  
then he's doing penetration testing.

        
On Feb 11, 2009, at 2:36 AM, Jamie Riden wrote:

> Hi Adriel,
>
> Marcus Ranum for one disagrees  -
> http://www.ranum.com/security/computer_security/editorials/point-counterpoint/pentesting.html
> - so I think it's a little bit misleading to say that all seasoned
> security professionals think pen-test is necessary. I don't agree with
> Marcus by the way.
>
> Fresh perspective is good, but it's also possible to get a fresh
> perspective by getting an external auditor - ie. a white-box test -
> rather than pen-test (black box).
>
> I'm obviously going to agree with your main point that everyone needs
> to secure their infrastructures!
>
> cheers,
> Jamie
>
> 2009/2/11 Adriel T. Desautels <ad_lists () netragard com>:
> > Jamie,
> >       I understand your perspective but its not the perspective of  
> > any well
> > seasoned security professional.  The fact of the matter is that that
> > external teams will always identify risks and provide new  
> > perspective that
> > you would not get from your internal team. Internal teams get stale.
> > There's a lot more to what I'm saying than what I've just written,  
> > but if
> > you read between the lines I hope you understand where I'm coming  
> > from.
>
> --
> Jamie Riden / jamesr () europe com / jamie () honeynet org uk
> http://www.ukhoneynet.org/members/jamie/



        Adriel T. Desautels
        ad_lists () netragard com
        --------------------------------------

        Subscribe to our blog
        http://snosoft.blogspot.com