Penetration Testing mailing list archives
Re: Is Pentesting Goal Oriented, or Coverage Oriented?
From: Marco Ivaldi <raptor () mediaservice net>
Date: Mon, 5 Oct 2009 17:40:09 +0200 (ora legale Europa occidentale)
Daniel, On Fri, 2 Oct 2009, Daniel Miessler wrote:
Greetings List,I'm having a discussion with Johannes Ullrich via the SANS Application Security Streetfighter Blog on whether penetration testing is goal or coverage oriented.
There has always been some confusion with the meaning of the terms "Vulnerability Assessment" and "Penetration Test" [1]. That said, the generally accepted definitions are something along the line of:
Vulnerability Assessment (or Security Scan). Process of identifying vulnerabilities in operating systems, services, and devices that could be used by attackers to target an organization's IT infrastructure.
Penetration Test (or Ethical Hacking). Security-oriented probing of computer system or network to seek out vulnerabilities that an attacker could exploit. Beyond probing for vulnerabilities, this testing involves actual penetration attempts and therefore allows for a greater coverage.
Therefore, a Vulnerability Assessment is a subset of a Penetration Test. Or at least this is how I market it, even though I understand there may be different opinions;) The truth is that those terms are by themselves very general and are often used improperly (I still keep hearing the flawed argument that "by definition a Penetration Test cannot be performed from the internal on a private network").
To answer your question about coverage, I don't believe a Penetration Test should be by definition a "capture the flag" exercise. It could very well be, depending on test plan, scope, rules of engagement, etc. But a good Penetration Test should offer a broad coverage, depending on the client's specific needs.
Cheers,
[1]. See the following threads (I apologize for quoting myself):
http://seclists.org/pen-test/2005/Jun/312
http://seclists.org/pen-test/2006/Aug/384
--
Marco Ivaldi
Lead Security Analyst Data Security Division
@ Mediaservice.net Srl http://mediaservice.net/
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Is Pentesting Goal Oriented, or Coverage Oriented? Daniel Miessler (Oct 04)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Michal Zalewski (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Zack Payton (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Jerome Athias (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Ramki B Ramakrishnan (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Chris Griffin (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? David Howe (Oct 06)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Kevin L. Shaw, CISSP, GCIH (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Chris Brenton (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Marco Ivaldi (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Robin Wood (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Tim (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Taras (Oct 06)