Penetration Testing mailing list archives

Re: Is Pentesting Goal Oriented, or Coverage Oriented?

From: Taras <taras () securityaudit ru>
Date: Tue, 06 Oct 2009 23:37:41 +0400

Hi, Daniel!

Thanks for interesting topic :)

From my point of view the aim of good pentest is to show practically as
much as possible ways to gain goal. For example we can gain access to 
some critical data, e.g. cardholder data, through the hole in web
application. Same access we can gain with help of social engineering 
and some Trojan-like program. All these ways pentester must show to the
customer.

On Fri, 2009-10-02 at 21:02 -0400, Daniel Miessler wrote:

Greetings List,

I'm having a discussion with Johannes Ullrich via the SANS Application
Security Streetfighter Blog on whether penetration testing is goal or
coverage oriented.

Johannes's position is that a pentest that attains a goal, e.g. root
access or a database dump, and then stops is an incomplete and poor
pentest. He believes a good pentester should continue finding as many
vulnerabilities as he can.

I hold the opposite view, which is that a penetration test is, by
definition, focused on achieving a specific goal, and that if the aim
of testing is to find as many vulnerabilities as possible the type of
test you're performing is a vulnerability assessment.

Here are the original arguments:

Johannes: http://blogs.sans.org/appsecstreetfighter/2009/09/30/pentesting-do-you-need-coverage/
Me: http://blogs.sans.org/appsecstreetfighter/2009/10/03/response-pentesting-coverage/
My Original: http://danielmiessler.com/blog/infosec-vulnerability-assessment-vs-penetration-test

I'm curious as to what the list thinks of the two perspectives.

--
Daniel R. Miessler
W: http://danielmiessler.com
E: daniel () danielmiessler com
P: 0x4048712D

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

-- 
Taras - OSCP, OSWP
----
"Software is like sex: it's better when it's free." - Linus Torvalds

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Re: Is Pentesting Goal Oriented, or Coverage Oriented?, (continued)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Zack Payton (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Jerome Athias (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Ramki B Ramakrishnan (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Chris Griffin (Oct 05)
  - Re: Is Pentesting Goal Oriented, or Coverage Oriented? David Howe (Oct 06)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Kevin L. Shaw, CISSP, GCIH (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Chris Brenton (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Marco Ivaldi (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Robin Wood (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Tim (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Taras (Oct 06)