RE: Limited vs full blown testing

From: Thompson, Jimi (JimiT_at_mail.cox.smu.edu)
Date: 06/25/04

  • Next message: Wayne Wooley: "RE: Limited vs full blown testing" 
    Date: Thu, 24 Jun 2004 17:00:55 -0500
To: "El C0chin0" <mr.nasty@ix.netcom.com>, <pen-test@securityfocus.com>

    <SNIP>
    First of all, most people seem to confuse auditing, vulnerability
    testing and penetration testing. Even within discussions here, there
    doesn't seem to be a clear definition amongst the tribe as to what does
    what.
    </SNIP>

    <SNIP>
    Penetration testing is the act of penetrating a system. Breaking into
    it using what ever tools are available. Not some proprietary software.
    That's bogus.
    </SNIP>

    This is all too true. From my perspective, unless you have a "trophy"
    for me to hack in and retrieve, it's not a penetration test. While my
    doing a scan of your network may be one activity that I carry out as
    part of the pen test, but it, on its own, doesn't qualify as a
    penetration test. Looking for vulnerable systems or applications,
    alone, doesn't cut it either. This is something that I might do as part
    of my attempt to penetrate your security, but unless the attempt to
    actually penetrate is made IT ISN'T A PEN TEST!

    Pen testing involves discovering and _attempting to exploit_ issues like
    (my favorite) poorly configured proxies in order to gain unauthorized
    access to systems and/or their contents. Just discovering the issue
    doesn't necessarily involve an attempt at penetration and should not be
    labeled a pen test. It's misleading, especially to the "suits"
    mentioned in a previous email.

    What most of the discussions in this group seem to focus on are more
    correctly labeled as vulnerability assessments and audits. Each of
    these has a valid and well deserved place in security methodology, but
    they aren't a pen test anymore than my Chihuahua is a wolf. Sure they
    both have four legs and wet nose, but I'd lots rather meet the Chihuahua
    in dark forest!

    2 cents,

    Jimi

  • Next message: Wayne Wooley: "RE: Limited vs full blown testing"

    Relevant Pages

    • Re: Internal Penetration Testing
      ... If you question the validity of internal penetration testing then you are either not doing it right or you don't understand the subject enough to realize its clear benefits. ... Information Assurance Certification Review Board ... Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. ...
      (Pen-Test)
    • Re: Penetration Testing Literature
      ... Thanks for the recommendation of "A Gift of Fire" - I'll add this one to my literature list. ... Marc Ruef - Die Kunst des Penetration Testing ... Thomas Wilhelm - Professional Penetration Testing: Creating and Operating a Formal Hacking Lab ... Information Assurance Certification Review Board ...
      (Pen-Test)
    • Re: Is Pentesting Goal Oriented, or Coverage Oriented?
      ... I'm having a discussion with Johannes Ullrich via the SANS Application ... Security Streetfighter Blog on whether penetration testing is goal or ... Johannes's position is that a pentest that attains a goal, ... I hold the opposite view, which is that a penetration test is, by ...
      (Pen-Test)
    • RE: Penetration Testing Literature
      ... Something that I recommend for everyone that asks though is "A Gift of Fire" by Sara Baase. ... Subject: Penetration Testing Literature ... Marc Ruef - Die Kunst des Penetration Testing ... Information Assurance Certification Review Board ...
      (Pen-Test)
    • Is Pentesting Goal Oriented, or Coverage Oriented?
      ... I'm having a discussion with Johannes Ullrich via the SANS Application Security Streetfighter Blog on whether penetration testing is goal or coverage oriented. ... I hold the opposite view, which is that a penetration test is, by definition, focused on achieving a specific goal, and that if the aim of testing is to find as many vulnerabilities as possible the type of test you're performing is a vulnerability assessment. ...
      (Pen-Test)