From: Thompson, Jimi (JimiT@mail.cox.smu.edu)
Date: Thu Jun 24 2004 - 18:00:55 EDT
<SNIP>
First of all, most people seem to confuse auditing, vulnerability
testing and penetration testing. Even within discussions here, there
doesn't seem to be a clear definition amongst the tribe as to what does
what.
</SNIP>
<SNIP>
Penetration testing is the act of penetrating a system. Breaking into
it using what ever tools are available. Not some proprietary software.
That's bogus.
</SNIP>
This is all too true. From my perspective, unless you have a "trophy"
for me to hack in and retrieve, it's not a penetration test. While my
doing a scan of your network may be one activity that I carry out as
part of the pen test, but it, on its own, doesn't qualify as a
penetration test. Looking for vulnerable systems or applications,
alone, doesn't cut it either. This is something that I might do as part
of my attempt to penetrate your security, but unless the attempt to
actually penetrate is made IT ISN'T A PEN TEST!
Pen testing involves discovering and _attempting to exploit_ issues like
(my favorite) poorly configured proxies in order to gain unauthorized
access to systems and/or their contents. Just discovering the issue
doesn't necessarily involve an attempt at penetration and should not be
labeled a pen test. It's misleading, especially to the "suits"
mentioned in a previous email.
What most of the discussions in this group seem to focus on are more
correctly labeled as vulnerability assessments and audits. Each of
these has a valid and well deserved place in security methodology, but
they aren't a pen test anymore than my Chihuahua is a wolf. Sure they
both have four legs and wet nose, but I'd lots rather meet the Chihuahua
in dark forest!
2 cents,
Jimi
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:57 EDT