Penetration Testing mailing list archives

Re: Is Pentesting Goal Oriented, or Coverage Oriented?

From: Chris Brenton <cbrenton () chrisbrenton org>
Date: Mon, 05 Oct 2009 06:57:36 -0400

On Fri, 2009-10-02 at 21:02 -0400, Daniel Miessler wrote:


Johannes's position is that a pentest that attains a goal, e.g. root  
access or a database dump, and then stops is an incomplete and poor  
pentest.

I hold the opposite view, which is that a penetration test is, by  
definition, focused on achieving a specific goal, and that if the aim  
of testing is to find as many vulnerabilities as possible the type of  
test you're performing is a vulnerability assessment.


I honestly don't see a difference between your two positions. Most
pentests I've seen do stop once full access is maintained. I agree with
Johannes however (disclaimer: I've known Johannes for many years) that
there is minimal value add to simply showing a client a single path to
high level access.

Think of it this way. You bring your car in to a mechanic to fix a slow
leaking tire. During the replacement the mechanic notices your brakes
are about to fail. Since they were only contracted to fix the tire
however, they ignore the brakes and don't say anything. 

So while they may do a great job fixing the tire I think we can agree we
would not be very happy when the car ends up wrapped around a tree. ;-)

Single objective pentests are great when you need something sexy to get
the attention of upper management. Long term however, they really don't
make the environment anymore secure because at best only one hole is
getting plugged. 

In the end, I think what really matters is that the client understands
the deliverable. If they know the goal is any possible path to root and
then the process will stop, life is cool. If they expect to get an
assessment of their overall posture however, you'll end up with some
unhappy clients.

HTH,
Chris
-- 
www.chrisbrenton.org


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

Is Pentesting Goal Oriented, or Coverage Oriented? Daniel Miessler (Oct 04)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Michal Zalewski (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Zack Payton (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Jerome Athias (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Ramki B Ramakrishnan (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Chris Griffin (Oct 05)
  - Re: Is Pentesting Goal Oriented, or Coverage Oriented? David Howe (Oct 06)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Kevin L. Shaw, CISSP, GCIH (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Chris Brenton (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Marco Ivaldi (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Robin Wood (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Tim (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Taras (Oct 06)