Penetration Testing mailing list archives
Re: Is Pentesting Goal Oriented, or Coverage Oriented?
From: Jerome Athias <jerome.athias () free fr>
Date: Mon, 05 Oct 2009 13:47:14 +0200
Le vendredi 02 octobre 2009 à 21:02 -0400, Daniel Miessler a écrit :
Greetings List, I'm having a discussion with Johannes Ullrich via the SANS Application Security Streetfighter Blog on whether penetration testing is goal or coverage oriented. Johannes's position is that a pentest that attains a goal, e.g. root access or a database dump, and then stops is an incomplete and poor pentest. He believes a good pentester should continue finding as many vulnerabilities as he can.
I agree, that's what I call a Pentest.
I hold the opposite view, which is that a penetration test is, by definition, focused on achieving a specific goal,
That's what I call "Writing a Report".
and that if the aim of testing is to find as many vulnerabilities as possible the type of test you're performing is a vulnerability assessment.
That's what I call ""Launching Nessus"". (* If you don't include a fuzzing process).
Here are the original arguments: Johannes: http://blogs.sans.org/appsecstreetfighter/2009/09/30/pentesting-do-you-need-coverage/ Me: http://blogs.sans.org/appsecstreetfighter/2009/10/03/response-pentesting-coverage/ My Original: http://danielmiessler.com/blog/infosec-vulnerability-assessment-vs-penetration-test I'm curious as to what the list thinks of the two perspectives.
My 2 frog legs
-- Daniel R. Miessler W: http://danielmiessler.com E: daniel () danielmiessler com P: 0x4048712D
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Is Pentesting Goal Oriented, or Coverage Oriented? Daniel Miessler (Oct 04)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Michal Zalewski (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Zack Payton (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Jerome Athias (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Ramki B Ramakrishnan (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Chris Griffin (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? David Howe (Oct 06)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Kevin L. Shaw, CISSP, GCIH (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Chris Brenton (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Marco Ivaldi (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Robin Wood (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Tim (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Taras (Oct 06)