RE: What is being a pen tester really like?

From: Richard Feist (richard@bluesec.net)
Date: Wed Aug 02 2006 - 14:58:45 EDT

• Next message: NABET Benjamin: "RE: Covert Microphone Application"
• Previous message: Dogten: "Re: What is being a pen tester really like?"
• In reply to: Michael Weber: "RE: What is being a pen tester really like?"
• Next in thread: Mark Teicher: "RE: What is being a pen tester really like?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The question is ...

Do you then continue to check all the doors , windows and any other outlets,
the parking lot, etc, etc... Once finished, report it all back including how
/ what was checked, when and why.

And then a pen test goes from just a pen test to security assessment :-)

> -----Original Message-----
> From: Michael Weber [mailto:mweber@alliednational.com]
> Sent: 03 August 2006 00:34
> To: arian.evans@anachronic.com; pen-test@securityfocus.com
> Subject: RE: What is being a pen tester really like?
>
> Greetings, all!
>
> I don't want to wade into the issue of charlatans, but I do
> have a pretty easy to understand analogy I use to compare pen
> tests and VA's.
>
> Let's say I am a security guard at a shopping mall. My job
> is to make sure all the doors are locked as I make my rounds.
> If I walk up to a door that is unlocked and turn the handle
> but I don't enter, that's a VA. If I walk in, make sure no
> other alarms go off, and leave a note on a desk that tells
> the owner that they left their door unlocked, that's a pen test.
>
> My customers usually understand it when I move it to a
> physical security scenerio.
>
> As always, YMMV!
>
> -Michael
>
> >>>> arian.evans@anachronic.com 8/1/2006 2:57:57 PM >>>
> <snip>
> >
> >I struggle regularly to explain the difference between a
> "vulnerability
> >assessment" and a pen test, due to the fact that too many folks pimp
> >pen test offerings that are just automated VA with a personal touch,
> >like Paul described. That, however, is the problem, not the answer.
> >
> >It is not pen-testing if there is no penetration.
> >
>
>
>
>
>
> E-MAIL CONFIDENTIALITY NOTICE: This communication and any associated
> file(s) may contain privileged, confidential or proprietary
> information or be protected from disclosure under law
> ("Confidential Information"). Any use or disclosure of this
> Confidential Information, or taking any action in reliance
> thereon, by any individual/entity other than the intended
> recipient(s) is strictly prohibited. This Confidential
> Information is intended solely for the use of the
> individual(s) addressed. If you are not an intended
> recipient, you have received this Confidential Information in
> error and have an obligation to promptly inform the sender
> and permanently destroy, in its entirety, this Confidential
> Information (and all copies thereof). E-mail is handled in
> the strictest of confidence by Allied National, however,
> unless sent encrypted, it is not a secure communication
> method and may have been intercepted, edited or altered
> during transmission and therefore is not guaranteed.
>
>
>
> --------------------------------------------------------------
> ----------------
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> Why not go with the #1 solution - Cenzic, the only one to win
> the Analyst's Choice Award from eWeek. As attacks through web
> applications continue to rise, you need to proactively
> protect your applications from hackers. Cenzic has the most
> comprehensive solutions to meet your application security
> penetration testing and vulnerability management needs. You
> have an option to go with a managed service (Cenzic
> ClickToSecure) or an enterprise software (Cenzic Hailstorm).
> Download FREE whitepaper on how a managed service can help
> you: http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit for you to
> confirm your results from other product. Contact us at
> request@cenzic.com for details.
> --------------------------------------------------------------
> ----------------
>
>
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.394 / Virus Database: 268.10.5/405 - Release
> Date: 01/08/2006
>
>

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------

• Next message: NABET Benjamin: "RE: Covert Microphone Application"
• Previous message: Dogten: "Re: What is being a pen tester really like?"
• In reply to: Michael Weber: "RE: What is being a pen tester really like?"
• Next in thread: Mark Teicher: "RE: What is being a pen tester really like?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:30 EDT