Re: Is Pentesting Goal Oriented, or Coverage Oriented?

[Jerome Athias <jerome.athias () free fr>]

Le vendredi 02 octobre 2009 à 21:02 -0400, Daniel Miessler a écrit :
> Greetings List,
>
> I'm having a discussion with Johannes Ullrich via the SANS Application  
> Security Streetfighter Blog on whether penetration testing is goal or  
> coverage oriented.
>
> Johannes's position is that a pentest that attains a goal, e.g. root  
> access or a database dump, and then stops is an incomplete and poor  
> pentest. He believes a good pentester should continue finding as many  
> vulnerabilities as he can.
I agree, that's what I call a Pentest.

> I hold the opposite view, which is that a penetration test is, by  
> definition, focused on achieving a specific goal,
That's what I call "Writing a Report".

>  and that if the aim  
> of testing is to find as many vulnerabilities as possible the type of  
> test you're performing is a vulnerability assessment.
That's what I call ""Launching Nessus"".
(* If you don't include a fuzzing process).

> Here are the original arguments:
>
> Johannes: http://blogs.sans.org/appsecstreetfighter/2009/09/30/pentesting-do-you-need-coverage/
> Me: http://blogs.sans.org/appsecstreetfighter/2009/10/03/response-pentesting-coverage/
> My Original: http://danielmiessler.com/blog/infosec-vulnerability-assessment-vs-penetration-test
>
> I'm curious as to what the list thinks of the two perspectives.
My 2 frog legs

> --
> Daniel R. Miessler
> W: http://danielmiessler.com
> E: daniel () danielmiessler com
> P: 0x4048712D



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------