Penetration Testing mailing list archives

Re: Is Pentesting Goal Oriented, or Coverage Oriented?

From: Ramki B Ramakrishnan <bramkie () gmail com>
Date: Mon, 5 Oct 2009 13:15:32 +0530

Thanks to Daniel Miessler for starting this thread here rather than
confining it to twitter and blogs.

I saw this post on SANS followed up to read more; IMO software testing
team should cover the complete gamut inducing security.

Wherever this type of testing is not be feasible. the security testing
part can be provided/outsourced to a specialist team who will have a
specific goals. And this type of testing (predefined goal) must be
done periodically as environments can be dynamic. Practically this is
the path taken by developers today.

Ramki

On Sat, Oct 3, 2009 at 6:32 AM, Daniel Miessler
<daniel () danielmiessler com> wrote:

Greetings List,

I'm having a discussion with Johannes Ullrich via the SANS Application Security Streetfighter Blog on whether
penetration testing is goal or coverage oriented.

Johannes's position is that a pentest that attains a goal, e.g. root access or a database dump, and then stops is an
incomplete and poor pentest. He believes a good pentester should continue finding as many vulnerabilities as he can.

I hold the opposite view, which is that a penetration test is, by definition, focused on achieving a specific goal,
and that if the aim of testing is to find as many vulnerabilities as possible the type of test you're performing is a
vulnerability assessment.

Here are the original arguments:

Johannes: http://blogs.sans.org/appsecstreetfighter/2009/09/30/pentesting-do-you-need-coverage/
Me: http://blogs.sans.org/appsecstreetfighter/2009/10/03/response-pentesting-coverage/
My Original: http://danielmiessler.com/blog/infosec-vulnerability-assessment-vs-penetration-test

I'm curious as to what the list thinks of the two perspectives.

--
Daniel R. Miessler
W: http://danielmiessler.com
E: daniel () danielmiessler com
P: 0x4048712D

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT
and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------




--
Ramki B Ramakrishnan

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

Is Pentesting Goal Oriented, or Coverage Oriented? Daniel Miessler (Oct 04)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Michal Zalewski (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Zack Payton (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Jerome Athias (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Ramki B Ramakrishnan (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Chris Griffin (Oct 05)
  - Re: Is Pentesting Goal Oriented, or Coverage Oriented? David Howe (Oct 06)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Kevin L. Shaw, CISSP, GCIH (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Chris Brenton (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Marco Ivaldi (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Robin Wood (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Tim (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Taras (Oct 06)