RE: Vulnerability Assessment vs. PenTest

You guys are making this way too complicated.

The only difference between a Vulnerability Assessment and a Penetration
Test is the fact that a Pen test will verify that the vulnerabilities
are in fact exploitable by actually exploiting those vulnerabilites.

Many services will perform a VA and never run any exploits and try to
pass it as a Pen test. If you have someone doing that, then they are
trying to overcharge you.

The price between a VA and a Pen-test can be significant. Why is that?
it's the level of responsibility that the Pen-testers must take.

It's very important that your Service provider know the difference and
is able to explain the difference. If they can't do that then you
should not use their services. If they have a high priced VA then you
need them to justify the "value adds".

Sol.


On Sat, 2006-08-05 at 00:47 -0400, Mark Ausley, CISSP wrote:
A Vulnerability Assessment can vary in scale and complexity but will
generally include the following:

1. External scan with Nessus, STAT, Retina, etc to obtain general security
posture of systems.
2. Internal scan with something like CIS tools, DISA scripts, Gold Disk etc
to assess the configuration of the systems and their patch levels, etc.
There is some overlap between these first two steps.
3. Review system architecture and associated documentation.
4. Interview SysAdmins & Engineers on system operation.
5. Review existing policy, procedures, SOPs, etc.
6. Perform and document the risk analysis.

A PEN test on the other hand can include any number of the VA items but
usually include a much wider array of testing tools.

A PEN test is usually a few hours to a few days as opposed to a VA which can
take months to perform. Also, during PEN tests you usually have little
knowledge of the target systems prior to the test. A VA involves
unrestricted access and knowledge of the target systems.

A PEN test usually has a pre-set goal. The scope of the testing and its goal
is usually spelled out to the tester and can be limited or unlimited. A PEN
test can be more likely to break or disrupt normal operations than a VA and
always requires official documents indicating what is allowed.

PEN tests really illustrate the relationship of vulnerabilities and how they
can string together to open a hole in what appeared to be a solid wall.


-- Mark

-----Original Message-----
From: James Harless [mailto:jharless@xxxxxxxxxxxxxxxxxxxx]
Sent: Friday, August 04, 2006 4:57 PM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Vulnerability Assessment vs. PenTest

Where is the line between a Vulnerability Assessment and a PenTest? In
other words, which tests do you run which identifies your assessment as
a pentest rather than a VA?

And, related, do VAs still have value? Do you feel that a PenTest
includes everything that a VA would (and more)?

My thoughts are that a VA is just an effort to document all the
identified and potential vulnerabilities on a network. A PenTest is an
attempt to identify those vulnerabilities and then exploit some of them
to verify their weakness.


James

----------------------------------------------------------------------------
--
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to
rise,
you need to proactively protect your applications from hackers. Cenzic has
the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@xxxxxxxxxx for details.
----------------------------------------------------------------------------
--


------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@xxxxxxxxxx for details.
------------------------------------------------------------------------------





------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@xxxxxxxxxx for details.
------------------------------------------------------------------------------

Relevant Pages

  • Re: [lists] Re: What to spend on a pentest
    ... PCI pen-tests are required yearly, however the pen test must stop right at the edge of running the exploit, so you never know if it actually runs. ... So here we have an industry standard "pen-test" where the pen-test is specifically required to not penetrate. ... Information Systems Security ... You have an option to go with a managed service or an enterprise software. ...
    (Pen-Test)
  • RE: Vulnerability Assessment vs. PenTest
    ... The value proposition of a pen test is an understanding of whether the ... whether internal controls such as patch management, physical security etc. ... In the hands of a good analyst, a vulnerability assessment will avoid ... Cenzic has the most comprehensive solutions ...
    (Pen-Test)
  • Re: pen test
    ... you pen test your host, I could have said ask them, but instead provided ... of a Vulnerability Identification step of a Risk Management plan. ... **System security testing, using methods such as automated vulnerability ... For example, an open port, let's say, port 80 is open on your host. ...
    (Security-Basics)
  • RE: Vulnerability Assessment vs. PenTest
    ... A PEN test is usually a few hours to a few days as opposed to a VA which can ... Subject: Vulnerability Assessment vs. PenTest ... Concerned about Web Application Security? ...
    (Pen-Test)
  • Re: pen test
    ... of a Vulnerability Identification step of a Risk Management plan. ... **System security testing, using methods such as automated vulnerability ... just need to VM the box and pen test if off the VM not the live. ... For example, an open port, let's say, port 80 is open on your host. ...
    (Security-Basics)