RE: What is being a pen tester really like?



The question is ...

Do you then continue to check all the doors , windows and any other outlets,
the parking lot, etc, etc... Once finished, report it all back including how
/ what was checked, when and why.

And then a pen test goes from just a pen test to security assessment :-)

-----Original Message-----
From: Michael Weber [mailto:mweber@xxxxxxxxxxxxxxxxxx]
Sent: 03 August 2006 00:34
To: arian.evans@xxxxxxxxxxxxxx; pen-test@xxxxxxxxxxxxxxxxx
Subject: RE: What is being a pen tester really like?

Greetings, all!

I don't want to wade into the issue of charlatans, but I do
have a pretty easy to understand analogy I use to compare pen
tests and VA's.

Let's say I am a security guard at a shopping mall. My job
is to make sure all the doors are locked as I make my rounds.
If I walk up to a door that is unlocked and turn the handle
but I don't enter, that's a VA. If I walk in, make sure no
other alarms go off, and leave a note on a desk that tells
the owner that they left their door unlocked, that's a pen test.

My customers usually understand it when I move it to a
physical security scenerio.

As always, YMMV!

-Michael

arian.evans@xxxxxxxxxxxxxx 8/1/2006 2:57:57 PM >>>
<snip>

I struggle regularly to explain the difference between a
"vulnerability
assessment" and a pen test, due to the fact that too many folks pimp
pen test offerings that are just automated VA with a personal touch,
like Paul described. That, however, is the problem, not the answer.

It is not pen-testing if there is no penetration.






E-MAIL CONFIDENTIALITY NOTICE: This communication and any associated
file(s) may contain privileged, confidential or proprietary
information or be protected from disclosure under law
("Confidential Information"). Any use or disclosure of this
Confidential Information, or taking any action in reliance
thereon, by any individual/entity other than the intended
recipient(s) is strictly prohibited. This Confidential
Information is intended solely for the use of the
individual(s) addressed. If you are not an intended
recipient, you have received this Confidential Information in
error and have an obligation to promptly inform the sender
and permanently destroy, in its entirety, this Confidential
Information (and all copies thereof). E-mail is handled in
the strictest of confidence by Allied National, however,
unless sent encrypted, it is not a secure communication
method and may have been intercepted, edited or altered
during transmission and therefore is not guaranteed.



--------------------------------------------------------------
----------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win
the Analyst's Choice Award from eWeek. As attacks through web
applications continue to rise, you need to proactively
protect your applications from hackers. Cenzic has the most
comprehensive solutions to meet your application security
penetration testing and vulnerability management needs. You
have an option to go with a managed service (Cenzic
ClickToSecure) or an enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help
you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to
confirm your results from other product. Contact us at
request@xxxxxxxxxx for details.
--------------------------------------------------------------
----------------




--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.5/405 - Release
Date: 01/08/2006




------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@xxxxxxxxxx for details.
------------------------------------------------------------------------------



Relevant Pages

  • Re: NHS Healthcare Records
    ... This is undoubtedly the security policy. ... Here's my card and ... National Census due next year, ... It'll make a mockery of patient/doctor confidentiality then. ...
    (uk.people.silversurfers)
  • Re: AppArmor FAQ
    ... MLS systems) attaches security policy to the data. ... through the system, the label sticks to the data, and so security ... Enforcement was specifically designed to be able to address integrity ... _and_ confidentiality in a way acceptable to commercial organizations. ...
    (Linux-Kernel)
  • Re: classification shceme of security concept
    ... (confidentiality, trust, access control, replication, integrity, ... well, there is the CIA triad (confidentiality, integrity, ... disposed a differents concept related to security domain ...
    (alt.computer.security)
  • Re: Patching
    ... > availability, confidentiality and integrity, isn't it? ... > system availability to name a few instances). ... > from a security perspective. ...
    (Security-Basics)