From: Omar Herrera (oherrera@prodigy.net.mx)
Date: Tue Dec 14 2004 - 16:55:49 EST
----- Mensaje original -----
De: "Adriel T. Desautels" <atd@secnetops.com>
>
> Greetings List,
> I am interested in collecting ideas as to what people feel an ideal
> penetration test is. What does the ideal methodology look like and
> what are the goals? I am asking you this because I have been running
> into interesting issues in certain markets. It would appear that some
> people view penetration tests as nothing more then basic network
> vulnerability audits while others view a penetration test for what it
> is, a test designed to compromise target systems as PoC of
> vulnerability.
In my opinion, PenTests must include tests designed to compromise target systems manually. The added value of a PenTest is to have someone able to find (and exploit) vulnerabilities in custom applications (something beyond that of which most tools can do).
>
> How do people feel about the use of automated tools and the weights
> of their results? What about manual or custom testing? We have our
> own methodology that we use for testing our client networks, but I am
> always interested in learning what else might be done. I'd be happy
> to engage anyone in a conversation about this subject.
>
Most consultants use automated tools to give you a standardized set of results that can be reproduced (with the same tools), but custom testing is important. I believe that any average PenTest consultant should be capable of determining common false positives and incorrect results with manual testing, such as IIS running on a Unix server or vulnerabilities for Apache web server for an IIS web server.
Tools make many mistakes, and the least you would expect is that the guy running the software knows what he is doing (and actually shows it).
Regards,
Omar Herrera
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:11 EDT