From: Tony Tulio (tulio@myrealbox.com)
Date: Fri Jun 10 2005 - 22:10:34 EDT
I think the most useful to a business would be 'A'. But that's not because of vulnerability assessment vs. pen test. It's because the results address the business risk. A business needs to understand the risk of a problem, the risk of not doing anything about it, and the risk of taking action. These things let you focus business resources where they are needed the most. This should be done by the consultant, who understands the technical risks, in concert with business management, who understand the business risks. Exploiting a host doesn't always mean much unless you can demonstrate how you can exploit the data that it leads to and what that means to the business.
-----Original Message-----
From: tarunthenut@gmail.com [mailto:tarunthenut@gmail.com]
Sent: Thursday, June 02, 2005 2:30 AM
To: pen-test@securityfocus.com
Subject: Why Penetration Test?
I was wondering the usefulness of a penetration testing against vulnerability assessment for a company.
Scenario A
Cosultant "A is employed to perform a vulnerability assessment and the result is tabulated based on the business risk these vulnerabilities pose.
Scenario B
Cosultant "B is employed to perform a Penetration Test, discovers 10 vulnerabilities and is able to show exploit of 5 vulnerabilities.
Scenario C
Cosultant "C" is employed to perform a Penetration Test, discovers 10 vulnerabilities and is able to show exploit of 7 vulnerabilities.
Which scenario would have more usefulness to the company? it is ovbious that the result of a PT would depend and vary from skill of a consultant to another?
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:24 EDT