Penetration Testing mailing list archives

Re: Is Pentesting Goal Oriented, or Coverage Oriented?

From: Zack Payton <zpayton () gmail com>
Date: Mon, 5 Oct 2009 02:27:25 -0400

Code complete, exploitation far and wide encourages fixes in manydepartments . Just as their defense are multilayered, so should beyour attack. Card exposure on any assessment is a critical finding.


Sent from my iV

On Oct 2, 2009, at 9:02 PM, Daniel Miessler<daniel () danielmiessler com> wrote:

Greetings List,
I'm having a discussion with Johannes Ullrich via the SANSApplication Security Streetfighter Blog on whether penetrationtesting is goal or coverage oriented.
Johannes's position is that a pentest that attains a goal, e.g. rootaccess or a database dump, and then stops is an incomplete and poorpentest. He believes a good pentester should continue finding asmany vulnerabilities as he can.
I hold the opposite view, which is that a penetration test is, bydefinition, focused on achieving a specific goal, and that if theaim of testing is to find as many vulnerabilities as possible thetype of test you're performing is a vulnerability assessment.
Here are the original arguments:

Johannes: http://blogs.sans.org/appsecstreetfighter/2009/09/30/pentesting-do-you-need-coverage/
Me: http://blogs.sans.org/appsecstreetfighter/2009/10/03/response-pentesting-coverage/
My Original: http://danielmiessler.com/blog/infosec-vulnerability-assessment-vs-penetration-test

I'm curious as to what the list thinks of the two perspectives.

--
Daniel R. Miessler
W: http://danielmiessler.com
E: daniel () danielmiessler com
P: 0x4048712D
------------------------------------------------------------------------This list is sponsored by: Information Assurance CertificationReview Board
Prove to peers and potential employers without a doubt that you canactually do a proper penetration test. IACRB CPT and CEPT certsrequire a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

Is Pentesting Goal Oriented, or Coverage Oriented? Daniel Miessler (Oct 04)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Michal Zalewski (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Zack Payton (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Jerome Athias (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Ramki B Ramakrishnan (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Chris Griffin (Oct 05)
  - Re: Is Pentesting Goal Oriented, or Coverage Oriented? David Howe (Oct 06)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Kevin L. Shaw, CISSP, GCIH (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Chris Brenton (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Marco Ivaldi (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Robin Wood (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Tim (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Taras (Oct 06)