Penetration Testing mailing list archives
Re: Is Pentesting Goal Oriented, or Coverage Oriented?
From: Tim <tim-pentest () sentinelchicken org>
Date: Mon, 5 Oct 2009 09:24:08 -0700
Johannes's position is that a pentest that attains a goal, e.g. root access or a database dump, and then stops is an incomplete and poor pentest. He believes a good pentester should continue finding as many vulnerabilities as he can. I hold the opposite view, which is that a penetration test is, by definition, focused on achieving a specific goal, and that if the aim of testing is to find as many vulnerabilities as possible the type of test you're performing is a vulnerability assessment. Here are the original arguments: Johannes: http://blogs.sans.org/appsecstreetfighter/2009/09/30/pentesting-do-you-need-coverage/ Me: http://blogs.sans.org/appsecstreetfighter/2009/10/03/response-pentesting-coverage/ My Original: http://danielmiessler.com/blog/infosec-vulnerability-assessment-vs-penetration-test I'm curious as to what the list thinks of the two perspectives.
In my work, we see both vulnerability assessments and penetration tests as providing a wide coverage, attempting to identify as many vulnerabilities as possible. The difference between the two, is that with a pentest, we also attempt to fully exploit serious vulnerabilities to help customers prioritize their risk and to raise awareness within the organization. I think our customers almost always want breadth as a first prioity over depth. Ultimately, either type of test is typically capped at some number of hours, so there is always some limitation as to how wide or how deep one can go, but that's the way we approach it. tim ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Is Pentesting Goal Oriented, or Coverage Oriented?, (continued)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Michal Zalewski (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Zack Payton (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Jerome Athias (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Ramki B Ramakrishnan (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Chris Griffin (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? David Howe (Oct 06)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Kevin L. Shaw, CISSP, GCIH (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Chris Brenton (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Marco Ivaldi (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Robin Wood (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Tim (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Taras (Oct 06)