From: Arian J. Evans (arian.evans@anachronic.com)
Date: Sun Aug 20 2006 - 19:01:31 EDT
This thread sure went on a long time without covering
the second noun in the subject.
***Penetration Test***
"You don't need to penetrate to verify" is a tired,
lame excuse sold by insufficiently skilled or incompetent
testers for a "penetration test".
Marcus Ranum made better arguments against penetration
tests years ago, but they do not hold water any more
than equivocating about this discussion by asking "did
the bear soil the woods if no one heard him?" questions.
***Defect Detection***
Simply observe the world of manufacturing. Items requiring
rigorous levels of tolerance, say splines or blades
in a jet engine, undergo an array of defect detection
mechanisms, from liquid UV tests to hand inspection to
finally, spinning the assembled engine up and putting
it under load.
Explore and verify. You don't just audit the design or
analyze the documented process that the spline groover
follows, or her historical trend of consistently following
a documented process to create splines.
A penetration test is simply one verification mechanism
in the poorly defined toolkit we have at our disposal
to verify security posture.
A penetration test is analogous to spinning up the
engine and putting it under load.
***Not Defect Detection***
It ain't a pen test if no one tries to penetrate. There
is NO other definition here without playing rhetorical
games that best belong in a scanner marketing slick.
You DO NOT KNOW what is under the hood unless you check.
The bottom line is that "penetration not needed" is sold
as an excuse for lack of depth, ability, and knowledge.
***Don't confuse the Pen with the Tester***
There are technically skilled, but business and risk
myopic pen testers that cannot communicate or contextualize
technical results in a meaningful manner.
We aren't talking about that. We are talking about the
act of exploration & verification, which is essential.
Whilst CS Lewis-style equivocation is clever, there is
a sharp difference between penetration testing and any
other noun in related security assessment verbiage.
Whether or not the act of penetration is detected, stopped,
spoiled, soiled, or stymied, it is undertaking the actions
of exploration and verification that counts.
Anything else is...well...not "penetration testing", no
matter how rigorously you write about it.
Arian J. Evans
> -----Original Message-----
> From: StyleWar [mailto:stylewar@cox.net]
> Sent: Sunday, August 06, 2006 11:26 AM
> To: sol@haveyoubeentested.org
> Cc: pen-test@securityfocus.com
> Subject: RE: Vulnerability Assessment vs. PenTest
>
> So - by your logic - if you bring a bangin sharp pen-tester
> in, and he's
> caught and his ingress methods are mitigated while still in
> the footprinting
> stage, that a pen-test did not actually occur... is that it? Or -- if
> physical security is 'pen-tested' and the tester is caught in
> the parking
> lot without credentials... no pen test existed or occurred eh?
>
> Quit trying to convince yourself of your own dogma and read for
> comprehension.
>
>
> Sol wrote:
> >>
> >> In the hands of a good pen tester, a pen test does NOT
> have to exploit
> >> vulnerabilities in order to achieve its value proposition.
>
> >If there's no verification of the vulnerabilities using
> exploits then it's
> not a Penetration test. What part of >penetration don't you
> understand?
> Anything less is a Vulnerability assessment. Period.
>
>
> ----------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:46 EDT