From: danielrm26 (danielrm26@yahoo.com)
Date: Tue Jan 27 2004 - 06:24:07 EST
I am by no means an expert in this subject, but it seems to me that one
major difference between a pen-test and a vulnerability assessment is
the pen-test is designed to come from a cracker's perspective, and the
tester is encouraged to actually attempt to enter systems using real
exploits. In a vulnerability assessment, on the other hand, the touch
seems to be lighter -- with the focus being on a report of the various
areas that need improvement. An illustration:
Pen-Test Guy: "Look what I could have done to your network." // more
inflamitory
Vulnerabilty Assessment Guy: "Here are some areas you need to work on."
// more academic
In short, pen-tests are more cutting edge and sexier. They are asked
for when the company is *very* serious about their security and have a
vested interest in knowing what an attacker could potentially do on
their network from the outside. I should also note that I think that
the pen-test requires quite a bit more skill than a vulnerability
assessment. I, for example, could probably do a decent vunlerabilty
assessment for a small to medium sized company, but I don't feel my
skills are far enough along to do pen-testing yet.
Regards,
-danielrm26
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:46 EDT