From: Bennett Todd (bet@rahul.net)
Date: Sun Mar 09 2003 - 12:08:30 EST
Penetration Testing and Vulnerability Scanning are areas with a lot
of overlap. The difference between the two is less in the exact menu
of tools used, and more the context and application.
In whitehat applications the two categories differ more in who is
doing it, where, and why, and what surrounding activities they
perform, and less on exactly what the heart of scan does.
Penetration Testing I've most often seen used to describe an
external vulnerability assessment. The customer will negotiate a
contract with the provider, and very often (at least every case I've
been involved with:-) the contract will completely prohibit
exploitation of holes found, acknowleging that without that
exploitation the pentester can not guarantee that some additional
protection behind the facade might have actually prevented the
successful exploitation of the found hole. Pen-testing is routinely
performed from the internet at the outside perimeter of the target,
and the negotiated contract has terms limiting what will be
attempted --- no DoS, no exploitation, only during agreed-on time
windows, only from IP addrs which have been announced to the target
before the scan begins, that sort of thing.
Vunerability Scanning I've seen as a task normally carried out by
security engineers within the organization; they may use open source
components, homebrew tools, commercial proprietary products, or some
mix of the lot, but the emphasis is on periodic scanning of the
whole net --- with emphasis on the inside net, behind the firewall
--- to find config errors and rogue machines and the like. I could
see a vulnscanning plan that included use of exploitation to
followup and confirm that claimed found vulns are in fact
exploitable.
-Bennett
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:30 EDT