From: Frank Knobbe (frank@knobbe.us)
Date: Fri Jan 23 2004 - 23:01:02 EST
On Fri, 2004-01-23 at 14:32, Pete Herzog wrote:
> What does a pen test fail to provide?
>
> I had to think about this for a little while because it's not so much
> to me
> what someone needs to know to be a security manager, CISO, or security
> consultant, but rather what do we expect from a security test?
>
> I know what pen-tests have been used for but I think a lot of that is
> also
> under-analyzing the results of a pen-tset. As an auditor of pen-test
> reports for some companies, I see many of these reports focusing on
> software
> vulnerabilities,
Pete,
could it be that they are confusing Penetration Tests with Vulnerability
Assessments or Security Reviews? The way I see it, vuln assessments take
a broad approach, looking at things in _breadth_. It includes software,
hardware, network/app concepts and design, physical, policy, and
whatever else should be included in the scope. Pen tests on the other
hand look at things in _depth_. It is a focused effort to find the weak
points (one or a couple if time/scope permits) and penetrate existing
defenses, keeping record on what needs to be improved.
Both serve a different purpose and have a different approach. A pen test
will most likely not find every vulnerability, while a vuln assessment
does not exploit found vulnerabilities. Vuln assessments provide a more
quantitative description of the security controls while pen tests
provide a more qualitative description.
I like the open source testing methodology, but I think it should be
split into two categories to provide two guides, one for each type of
review.
Regards,
Frank
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:46 EDT