From: Erin Carroll (amoeba@amoebazone.com)
Date: Fri Jun 10 2005 - 16:41:29 EDT
IMHO, a penetration test isn't complete unless it includes some of "A"
below.
While you may not, as a consultant, be able to determine what
vulnerabilities might impact the company the most (in terms of cost/ROI to
address) you should definitely give your client some idea of the probability
and impact that vulnerability being exploited.
Anyone with some passing familiarity can perform a nessus scan or similar
against a host and report the results (B & C below). However, the real skill
is in being able to prioritize the possible holes/vulnerabilities in such a
way that the client can make educated decisions on which to address and in
what order. While the raw data from B & C are useful, without some context
or basis for comparison the data is less useful.
At least, that's how I would approach it.
-Erin Carroll
"Do Not Taunt Happy-Fun Ball"
> -----Original Message-----
> From: tarunthenut@gmail.com [mailto:tarunthenut@gmail.com]
> Sent: Wednesday, June 01, 2005 11:30 PM
> To: pen-test@securityfocus.com
> Subject: Why Penetration Test?
>
> I was wondering the usefulness of a penetration testing
> against vulnerability assessment for a company.
>
> Scenario A
> Cosultant "A is employed to perform a vulnerability
> assessment and the result is tabulated based on the business
> risk these vulnerabilities pose.
>
> Scenario B
> Cosultant "B is employed to perform a Penetration Test,
> discovers 10 vulnerabilities and is able to show exploit of 5
> vulnerabilities.
>
> Scenario C
> Cosultant "C" is employed to perform a Penetration Test,
> discovers 10 vulnerabilities and is able to show exploit of 7
> vulnerabilities.
>
> Which scenario would have more usefulness to the company? it
> is ovbious that the result of a PT would depend and vary from
> skill of a consultant to another?
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:24 EDT