From: Gareth Davies (gareth.davies@mynetsec.com)
Date: Mon Jun 13 2005 - 22:07:37 EDT
tarunthenut@gmail.com wrote:
>hi,
>thanx to everyone for brain-stroming on this point.
>
>i asked this question cause i failed to understand why certain clients are bent on penetration testing cause the results totally depend on the skill set of the person/company performing the penetration testing.
>
>
>
Yeah that's pretty much how I see it too.
Most clients request a pen test because they don't know what it is, it
sounds more exciting.
What they actually want is a VA, I've had this issue a few times.
When it comes down to it, they don't want you to actually exploit their
servers, as the machines are live and they can't face the possibility of
downtime.
They don't mind snapshots of passive intrusion (through non passworded
services, or weak/default u/p combinations, open root shares,
unprotected NFS mounts and so on).
IMHO a full pen-test consists of a VA but it goes one step further, into
the realm of actually confirming the exploits will work (as an example,
sendmail is often pegged as being vulnerable, but many OS's update the
service without changing the banner, so according to the banner it's
vulnerable, in reality it's not).
I generally like to strike a balance somewhere in between where possible.
Cheers
-- Gareth Davies Manager - Security Practice Network Security Solutions MSC Sdn. Bhd. Suite E-07-21, Block E, Plaza Mont' Kiara, No. 2 Jalan Kiara, Mont’ Kiara, 50480 Kuala Lumpur, Malaysia Phone: +603-6203 5303 www.mynetsec.com
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:24 EDT