From: Jim Geovedi (jim@geovedi.com)
Date: Tue Feb 14 2006 - 08:33:13 EST
Gareth Davies <gareth.davies@mynetsec.com> wrote:
> IMHO a full pen-test consists of a VA but it goes one step further, into
> the realm of actually confirming the exploits will work (as an example,
> sendmail is often pegged as being vulnerable, but many OS's update the
> service without changing the banner, so according to the banner it's
> vulnerable, in reality it's not).
I agree.
Many people (the clients) still don't understand the term of pentest & VA.
In the end, it doesn't really matter for them since what they need is
"just" a security assurance.
For pentest, we give our testing policy and explain that we take on the
_attackers' perspective_, actively aiming to exploit and compromise the
targets by using known and/or unknown (0-day) vulnerabilities.
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:31 EDT