RE: Email Pen-testing

• Previous message: Kevin: "RE: Email Pen-testing"
• In reply to: James Taylor: "RE: Email Pen-testing"
• Next in thread: AJ Butcher, Information Systems and Computing: "RE: Email Pen-testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 23 Mar 2004 10:49:13 -0500 (EST)
To: pen-test@securityfocus.com

On Tue, 23 Mar 2004, James Taylor wrote:

>
> To drift slightly off topic... For me a vulnerability scan has much more value
> to most companies than a pen test. That is , of course, if you apply the
> principle that a vuln scan should be performed at each perimeter layer, against
> all hosts, then assess the risk by taking each vulnerability discovered in the
> context of the network as a whole.

I agree with the gist of your point, however I am assuming that by
"vulnerabillity scan" you are actually referring to a vulnerability
assessment. A scan is a valuable part of an assessment, however on it's
own it is generally only valuable for identifying signature based
vulnerabilities. A full assessment, on the other hand, if conducted
thoroughly, can identify areas of potential future exploitation that can
be pro-actively addressed.

Chris Hurley

---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------

• Previous message: Kevin: "RE: Email Pen-testing"
• In reply to: James Taylor: "RE: Email Pen-testing"
• Next in thread: AJ Butcher, Information Systems and Computing: "RE: Email Pen-testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Vulnerability Assessment vs. PenTest ... Vulnerability assessment ... as well as their assessment in terms of technical and/or ... Scope is left out. ... all trying to define our own standards for what we consider ... (Pen-Test) RE: Email Pen-testing ... regular vulnerability assessment is usually the most useful approach ... Pentests do sometimes occur only to prove a point with management. ... Anything that broadens and increases security ... They should be followed by vulnerability studies, ... (Pen-Test) Re: New Binary Bruteforcing Method Discovered ... Internet time, predating as it does the Internet) and the ... assessment world are converging. ... Unfortunately, the vulnerability ... Do You Yahoo!? ... (Vuln-Dev) RE: Bank Audit Best practices ... > pretty silly to FI's when they can't tie technical benefit to risk reduction. ... then this is something that should be highlighted in a risk assessment. ... A vulnerability assessment should clearly mark it as excluded -- it can ... It's a business decision. ... (Pen-Test) Re: Business model for penetration testing and vulnerability finding ... What should be agreen between client and tester before the beginning of work ( ... For a vulnerability assessment, I think that two documents: ... assessment. ... and continuous integration along with a formal software life ... (Pen-Test)