From: Clint Bodungen (clint@secureconsulting.com)
Date: Wed Jan 28 2004 - 11:41:02 EST
> -danielrm26 wrote:
> Your methodical analysis is flawless, with one exception -- *it doesn't
> represent reality*. Whether it's true or not from an academic
> standpoint, anyone in the field knows that vunl assessments and
> pen-tests are very distinct from eachother. But yes, you bring good
> points. It's just that, as you noted, *should* and *is* are two
> completely different animals.
>
I agree, it doesn't represent reality because many in the field _don't_ view
it this way (the fundamental distinctions and the benefits of using them
together.) I didn't mean for my statement to sound definitive. I was,
actually, trying to point out those fundamental distinctions and hopefully
provide another insight to the thread: That, instead of taking a "one or the
other" approach, they *should* be used together in a complete professional
project/package. In fact, I've found that when you provide them together
and "embed" the pen-test in the vuln-assessment, the language and general
undertone of the "vulnerability assessment." tends to even out the client
uncertainties associated with the term "penetration testing" alone. It
helps present it in a more professional manner, the client feels more
comfortable, the job is done *right*, and you get more "bill time" ;-)
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:47 EDT