RE: Vulnerability Assessment vs. PenTest
- From: "Mark Ausley, CISSP" <Mark@xxxxxxxxxxxxxx>
- Date: Sun, 6 Aug 2006 00:16:43 -0400
I agree. Good "bottom-line" on the goals of each type of test.
-- Mark
-----Original Message-----
From: StyleWar [mailto:stylewar@xxxxxxx]
Sent: Saturday, August 05, 2006 8:01 PM
To: sol@xxxxxxxxxxxxxxxxxxxxx; 'Mark Ausley, CISSP'
Cc: pen-test@xxxxxxxxxxxxxxxxx
Subject: RE: Vulnerability Assessment vs. PenTest
I can break it down like legos.
The value proposition of a pen test is an understanding of whether the
investment into detection and response is at an appropriate level.
The value proposition of a vulnerability assessment is an understanding of
whether internal controls such as patch management, physical security etc.
are adequate given a specific risk tolerance.
Although one may use elements of the other, they are, and will forever be-
very different things (despite the boutique's attempts to make them 'the
same thing').
In the hands of a good pen tester, a pen test does NOT have to exploit
vulnerabilities in order to achieve its value proposition.
In the hands of a good analyst, a vulnerability assessment will avoid
excessive commentary on specific exploitable conditions, and instead expose
the flaws that created the opportunity for those vulnerabilities to exist in
that environment in the first place...
.....Now-- go get me some coffee...Teaching makes me tired.
:)
-
StyleWar
"never underestimate the dousing effect of cubicles and
consensus management on the candles of creativity and
leadership"
-----Original Message-----
From: Sol Invictus [mailto:sol@xxxxxxxxxxxxxxxxxxxxx]
Sent: Saturday, August 05, 2006 7:13 AM
To: Mark Ausley, CISSP
Cc: pen-test@xxxxxxxxxxxxxxxxx
Subject: RE: Vulnerability Assessment vs. PenTest
You guys are making this way too complicated.
The only difference between a Vulnerability Assessment and a
Penetration Test is the fact that a Pen test will verify that
the vulnerabilities are in fact exploitable by actually
exploiting those vulnerabilites.
Many services will perform a VA and never run any exploits
and try to pass it as a Pen test. If you have someone doing
that, then they are trying to overcharge you.
The price between a VA and a Pen-test can be significant.
Why is that?
it's the level of responsibility that the Pen-testers must take.
It's very important that your Service provider know the
difference and is able to explain the difference. If they
can't do that then you should not use their services. If
they have a high priced VA then you need them to justify the
"value adds".
Sol.
On Sat, 2006-08-05 at 00:47 -0400, Mark Ausley, CISSP wrote:
A Vulnerability Assessment can vary in scale and complexitybut will
generally include the following:their patch levels, etc.
1. External scan with Nessus, STAT, Retina, etc to obtain general
security posture of systems.
2. Internal scan with something like CIS tools, DISA scripts, Gold
Disk etc to assess the configuration of the systems and
There is some overlap between these first two steps.you usually
3. Review system architecture and associated documentation.
4. Interview SysAdmins & Engineers on system operation.
5. Review existing policy, procedures, SOPs, etc.
6. Perform and document the risk analysis.
A PEN test on the other hand can include any number of the VA items
but usually include a much wider array of testing tools.
A PEN test is usually a few hours to a few days as opposed to a VA
which can take months to perform. Also, during PEN tests
have little knowledge of the target systems prior to the test. A VAindicating what is allowed.
involves unrestricted access and knowledge of the target systems.
A PEN test usually has a pre-set goal. The scope of the testing and
its goal is usually spelled out to the tester and can be limited or
unlimited. A PEN test can be more likely to break or disrupt normal
operations than a VA and always requires official documents
appeared to be a solid wall.
PEN tests really illustrate the relationship of vulnerabilities and
how they can string together to open a hole in what
PenTest?
-- Mark
-----Original Message-----
From: James Harless [mailto:jharless@xxxxxxxxxxxxxxxxxxxx]
Sent: Friday, August 04, 2006 4:57 PM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Vulnerability Assessment vs. PenTest
Where is the line between a Vulnerability Assessment and a
In other words, which tests do you run which identifies yourPenTest is
assessment as a pentest rather than a VA?
And, related, do VAs still have value? Do you feel that a PenTest
includes everything that a VA would (and more)?
My thoughts are that a VA is just an effort to document all the
identified and potential vulnerabilities on a network. A
an attempt to identify those vulnerabilities and thenexploit some of
them to verify their weakness.----------------------------------------------------------------------
James
------applications
--
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's Choice Award from eWeek. As attacks through web
continue to rise, you need to proactively protect your applicationsto meet your
from hackers. Cenzic has the most comprehensive solutions
application security penetration testing and vulnerabilitymanagement
needs. You have an option to go with a managed service (CenzicHailstorm). Download
ClickToSecure) or an enterprise software (Cenzic
FREE whitepaper on how a managed service can help you:to confirm
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you
your results from other product. Contact us atrequest@xxxxxxxxxx for details.
----------------------------------------------------------------------
----------------------------------------------------------------------------
--
--------applications
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's Choice Award from eWeek. As attacks through web
continue to rise, you need to proactively protect your applicationsto meet your
from hackers. Cenzic has the most comprehensive solutions
application security penetration testing and vulnerabilitymanagement
needs. You have an option to go with a managed service (CenzicHailstorm). Download
ClickToSecure) or an enterprise software (Cenzic
FREE whitepaper on how a managed service can help you:to confirm
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you
your results from other product. Contact us atrequest@xxxxxxxxxx for details.
----------------------------------------------------------------------
--------
--------------------------------------------------------------
----------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win
the Analyst's Choice Award from eWeek. As attacks through web
applications continue to rise, you need to proactively
protect your applications from hackers. Cenzic has the most
comprehensive solutions to meet your application security
penetration testing and vulnerability management needs. You
have an option to go with a managed service (Cenzic
ClickToSecure) or an enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help
you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to
confirm your results from other product. Contact us at
request@xxxxxxxxxx for details.
--------------------------------------------------------------
----------------
----------------------------------------------------------------------------
--
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to
rise,
you need to proactively protect your applications from hackers. Cenzic has
the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@xxxxxxxxxx for details.
----------------------------------------------------------------------------
--
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@xxxxxxxxxx for details.
------------------------------------------------------------------------------
- References:
- RE: Vulnerability Assessment vs. PenTest
- From: StyleWar
- RE: Vulnerability Assessment vs. PenTest
- Prev by Date: Re: Vulnerability Assessment vs. PenTest
- Next by Date: RE: [lists] Re: What to spend on a pentest
- Previous by thread: RE: Vulnerability Assessment vs. PenTest
- Next by thread: RE: Vulnerability Assessment vs. PenTest
- Index(es):
Relevant Pages
|
