RE: What is being a pen tester really like?



Greetings, all!

I don't want to wade into the issue of charlatans, but I do have a pretty easy to understand analogy I use to compare pen tests and VA's.

Let's say I am a security guard at a shopping mall. My job is to make sure all the doors are locked as I make my rounds. If I walk up to a door that is unlocked and turn the handle but I don't enter, that's a VA. If I walk in, make sure no other alarms go off, and leave a note on a desk that tells the owner that they left their door unlocked, that's a pen test.

My customers usually understand it when I move it to a physical security scenerio.

As always, YMMV!

-Michael

arian.evans@xxxxxxxxxxxxxx 8/1/2006 2:57:57 PM >>>
<snip>

I struggle regularly to explain the difference between
a "vulnerability assessment" and a pen test, due to the
fact that too many folks pimp pen test offerings that
are just automated VA with a personal touch, like Paul
described. That, however, is the problem, not the answer.

It is not pen-testing if there is no penetration.






E-MAIL CONFIDENTIALITY NOTICE: This communication and any associated
file(s) may contain privileged, confidential or proprietary
information or be protected from disclosure under law ("Confidential
Information"). Any use or disclosure of this Confidential Information,
or taking any action in reliance thereon, by any individual/entity
other than the intended recipient(s) is strictly prohibited. This
Confidential Information is intended solely for the use of the
individual(s) addressed. If you are not an intended recipient, you
have received this Confidential Information in error and have an
obligation to promptly inform the sender and permanently destroy,
in its entirety, this Confidential Information (and all copies
thereof). E-mail is handled in the strictest of confidence by
Allied National, however, unless sent encrypted, it is not a secure
communication method and may have been intercepted, edited or
altered during transmission and therefore is not guaranteed.



------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@xxxxxxxxxx for details.
------------------------------------------------------------------------------



Relevant Pages

  • Re: [lists] Re: What to spend on a pentest
    ... PCI pen-tests are required yearly, however the pen test must stop right at the edge of running the exploit, so you never know if it actually runs. ... So here we have an industry standard "pen-test" where the pen-test is specifically required to not penetrate. ... Information Systems Security ... You have an option to go with a managed service or an enterprise software. ...
    (Pen-Test)
  • RE: Vulnerability Assessment vs. PenTest
    ... The only difference between a Vulnerability Assessment and a Penetration ... Test is the fact that a Pen test will verify that the vulnerabilities ... Concerned about Web Application Security? ... Download FREE whitepaper on how a managed service can ...
    (Pen-Test)
  • Re: What to spend on a pentest
    ... If you want a real number, your best bet would be to run nmap to enumerate your network and take the results to a pen tester for a bid. ... Download FREE whitepaper on how a managed service can ... Any use or disclosure of this Confidential Information, ...
    (Pen-Test)
  • Re: What to spend on a pentest
    ... As attacks through web applications continue to rise, ... Download FREE whitepaper on how a managed service can ... Any use or disclosure of this Confidential Information, ...
    (Pen-Test)
  • Re: How to use paswords for 2nd and 3rd page
    ... When approaching matters of security, you really have to stop and ask ... yourself "What kind of data am I protecting and who am I trying to protect it ... to the church policies. ... truly confidential information, this is probably not a valid approach. ...
    (microsoft.public.access.forms)