From: Rob Havelt (rob@cobal.org)
Date: Sat Jun 11 2005 - 03:30:11 EDT
I'd submit that these scenarios offer very different data sets, meant to
address two distinctly different concerns within an organization. Put
simply, they answer different questions. (I'm assuming the most common
definitions of VA and PT here - as the meaning of "Vulnerability
Assessment" varies wildly from organization to organization).
But given that scenario A, and B/C would produce different data they can
both be useful, and they both answer a specific question. How useful they
are would depend almost solely on the data that is most needed by the
organization commissioning the test at that point in time.
So I'd further submit that real value that a consultant can add to the
process is to help the organization understand the subtile differences, and
identify the real questions that they need answered. For example - has the
organization in question started to look at threats in the context of risk
to the business, end to end security for business processes, and so on...
perhaps they have done this extensively, and as a result of this they've
decided to put security to the test. In this case, scenario A wouldn't be
answering the question. But perhaps the organization has not taken a
realistic look at the business in terms of risk. They are not aware of all
the threats, and they don't have a plan in place. Scenario A might provide
some real value this this case, possibly more than B or C.
so I guess my answer to this would be a big "it depends on the company",
but it really does - not every organization is at the same point in the
security cycle. The most useful thing would be to try to understand where
the organization is, and possibly to help them understand where they are
right out of the gate.
-Rob
At 06:29 AM 6/2/2005 +0000, you wrote:
>I was wondering the usefulness of a penetration testing against
>vulnerability assessment for a company.
>
>Scenario A
>Cosultant "A is employed to perform a vulnerability assessment and the
>result is tabulated based on the business risk these vulnerabilities pose.
>
>Scenario B
>Cosultant "B is employed to perform a Penetration Test, discovers 10
>vulnerabilities and is able to show exploit of 5 vulnerabilities.
>
>Scenario C
>Cosultant "C" is employed to perform a Penetration Test, discovers 10
>vulnerabilities and is able to show exploit of 7 vulnerabilities.
>
>Which scenario would have more usefulness to the company? it is ovbious
>that the result of a PT would depend and vary from skill of a consultant
>to another?
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:24 EDT