RE: Vulnerability Assessment vs. PenTest

Daniel,

To use your language, it may be true that we are all seasoned professionals
-- but it is likely also true that we are not all equal in our seasoning. We
should recognize THAT CAUSE as a potential explanation for the disagreement,
and let the crucible of truth burn off all the bad opinions, rather than
give each opinion equal merit and say that "it's more art than science."

I agree that this specialty involves artful sections, I also feel pretty
strongly that what you describe is merely incredible aptitude for one
skillset or another. More than once I've stood next to a gent and wondered
what sort of magic he used to accomplish his tasks...it might has well have
been art, because I understood science, but I didn't understand how HE did
it.

So - for whatever it's worth --- while some specialties are not easily
understood or accomplished by all, we should be careful not to use the 'art'
analogy as a broad brush method for explaining away a lack of our own depth
in any of them....

-

StyleWar

"Happiness makes up for in height, what it lacks in length"

-----Original Message-----
From: Daniel Accioly Rosa [mailto:listas.accioly@xxxxxxxxxxxx]
Sent: Saturday, August 05, 2006 7:40 PM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: RE: Vulnerability Assessment vs. PenTest

What I find most interesting in these discussions is that
even tough we are all seasoned professionals, we can't agree
100% on a definition neither to Vulnerability Assessment or
Pen Testing.

What lesson should we take from this? I'm not saying that we
don't know what we are doing (most of use here are very good
professionals), but maybe there is too much "art" in this
job... Each day that goes by I believe more and more that we
need to agree on common grounds on how we perform our duties...

You are right StyleWar, coffee now would be nice.. :)

Daniel Accioly Rosa, CISA CISSP
daniel.accioly[AT]terra.com.br

-----Original Message-----
From: StyleWar [mailto:stylewar@xxxxxxx]
Sent: 06 August 2006 01:01
To: sol@xxxxxxxxxxxxxxxxxxxxx; 'Mark Ausley, CISSP'
Cc: pen-test@xxxxxxxxxxxxxxxxx
Subject: RE: Vulnerability Assessment vs. PenTest

I can break it down like legos.

The value proposition of a pen test is an understanding of
whether the investment into detection and response is at an
appropriate level.

The value proposition of a vulnerability assessment is an
understanding of whether internal controls such as patch
management, physical security etc.
are adequate given a specific risk tolerance.

Although one may use elements of the other, they are, and
will forever be- very different things (despite the
boutique's attempts to make them 'the same thing').

In the hands of a good pen tester, a pen test does NOT have
to exploit vulnerabilities in order to achieve its value proposition.

In the hands of a good analyst, a vulnerability assessment
will avoid excessive commentary on specific exploitable
conditions, and instead expose the flaws that created the
opportunity for those vulnerabilities to exist in that
environment in the first place...

...Now-- go get me some coffee...Teaching makes me tired.

:)

-

StyleWar

"never underestimate the dousing effect of cubicles and
consensus management on the candles of creativity and leadership"

-----Original Message-----
From: Sol Invictus [mailto:sol@xxxxxxxxxxxxxxxxxxxxx]
Sent: Saturday, August 05, 2006 7:13 AM
To: Mark Ausley, CISSP
Cc: pen-test@xxxxxxxxxxxxxxxxx
Subject: RE: Vulnerability Assessment vs. PenTest

You guys are making this way too complicated.

The only difference between a Vulnerability Assessment and a
Penetration Test is the fact that a Pen test will verify that the
vulnerabilities are in fact exploitable by actually
exploiting those
vulnerabilites.

Many services will perform a VA and never run any exploits
and try to
pass it as a Pen test. If you have someone doing that,
then they are
trying to overcharge you.

The price between a VA and a Pen-test can be significant.
Why is that?
it's the level of responsibility that the Pen-testers must take.

It's very important that your Service provider know the
difference and
is able to explain the difference. If they can't do that then you
should not use their services. If they have a high priced
VA then you
need them to justify the "value adds".

Sol.


On Sat, 2006-08-05 at 00:47 -0400, Mark Ausley, CISSP wrote:
A Vulnerability Assessment can vary in scale and complexity
but will
generally include the following:

1. External scan with Nessus, STAT, Retina, etc to obtain general
security posture of systems.
2. Internal scan with something like CIS tools, DISA
scripts, Gold
Disk etc to assess the configuration of the systems and
their patch levels, etc.
There is some overlap between these first two steps.
3. Review system architecture and associated documentation.
4. Interview SysAdmins & Engineers on system operation.
5. Review existing policy, procedures, SOPs, etc.
6. Perform and document the risk analysis.

A PEN test on the other hand can include any number of
the VA items
but usually include a much wider array of testing tools.

A PEN test is usually a few hours to a few days as
opposed to a VA
which can take months to perform. Also, during PEN tests
you usually
have little knowledge of the target systems prior to the
test. A VA
involves unrestricted access and knowledge of the target systems.

A PEN test usually has a pre-set goal. The scope of the
testing and
its goal is usually spelled out to the tester and can be
limited or
unlimited. A PEN test can be more likely to break or
disrupt normal
operations than a VA and always requires official documents
indicating what is allowed.

PEN tests really illustrate the relationship of
vulnerabilities and
how they can string together to open a hole in what
appeared to be a solid wall.


-- Mark

-----Original Message-----
From: James Harless [mailto:jharless@xxxxxxxxxxxxxxxxxxxx]
Sent: Friday, August 04, 2006 4:57 PM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Vulnerability Assessment vs. PenTest

Where is the line between a Vulnerability Assessment and a
PenTest?
In other words, which tests do you run which identifies your
assessment as a pentest rather than a VA?

And, related, do VAs still have value? Do you feel that
a PenTest
includes everything that a VA would (and more)?

My thoughts are that a VA is just an effort to document all the
identified and potential vulnerabilities on a network. A
PenTest is
an attempt to identify those vulnerabilities and then
exploit some of
them to verify their weakness.


James



----------------------------------------------------------------------
------
--
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's Choice Award from eWeek. As attacks through web
applications
continue to rise, you need to proactively protect your
applications
from hackers. Cenzic has the most comprehensive solutions
to meet your
application security penetration testing and vulnerability
management
needs. You have an option to go with a managed service (Cenzic
ClickToSecure) or an enterprise software (Cenzic
Hailstorm). Download
FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you
to confirm
your results from other product. Contact us at
request@xxxxxxxxxx for details.


----------------------------------------------------------------------
------
--




----------------------------------------------------------------------
--------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's Choice Award from eWeek. As attacks through web
applications
continue to rise, you need to proactively protect your
applications
from hackers. Cenzic has the most comprehensive solutions
to meet your
application security penetration testing and vulnerability
management
needs. You have an option to go with a managed service (Cenzic
ClickToSecure) or an enterprise software (Cenzic
Hailstorm). Download
FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you
to confirm
your results from other product. Contact us at
request@xxxxxxxxxx for details.


----------------------------------------------------------------------
--------





--------------------------------------------------------------
----------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's Choice Award from eWeek. As attacks through web
applications
continue to rise, you need to proactively protect your applications
from hackers. Cenzic has the most comprehensive solutions
to meet your
application security penetration testing and vulnerability
management
needs. You have an option to go with a managed service (Cenzic
ClickToSecure) or an enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help
you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you
to confirm
your results from other product. Contact us at
request@xxxxxxxxxx for
details.
--------------------------------------------------------------
----------------





--------------------------------------------------------------
--------------
--
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win
the Analyst's Choice Award from eWeek. As attacks through web
applications continue to rise, you need to proactively
protect your applications from hackers. Cenzic has the most
comprehensive solutions to meet your application security
penetration testing and vulnerability management needs. You
have an option to go with a managed service (Cenzic
ClickToSecure) or an enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help
you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to
confirm your results from other product. Contact us at
request@xxxxxxxxxx for details.
--------------------------------------------------------------
--------------
--


--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.5/407 - Release
Date: 03/08/2006


--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.5/407 - Release
Date: 03/08/2006



--------------------------------------------------------------
----------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win
the Analyst's
Choice Award from eWeek. As attacks through web applications
continue to rise,
you need to proactively protect your applications from
hackers. Cenzic has the
most comprehensive solutions to meet your application
security penetration
testing and vulnerability management needs. You have an
option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed
service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to
confirm your
results from other product. Contact us at request@xxxxxxxxxx
for details.
--------------------------------------------------------------
----------------





------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@xxxxxxxxxx for details.
------------------------------------------------------------------------------

Relevant Pages

  • RES: Unix auditing tools - Windows based.
    ... If you're looking for commercial tools for auditing porpuses, try to take a look on Symantec Enterprise Security Manager or Computers Associate eTrust Audit ... now for a limited time we can do a FREE audit for you to confirm your results from other product. ... testing and vulnerability management needs. ...
    (Pen-Test)
  • Re: Vulnerability Assessment vs. PenTest
    ... procedures to implementation of security in the network and should include such things as patch management, virus protection, user education, SOE hardening, infrastructure configuration, etc. ... A vulnerability assessment I tend to understand in terms of investigating ... Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. ...
    (Pen-Test)
  • Re: [Full-disclosure] [Professional IT Security Providers -Exposed] PlanNetGroup ( F )
    ... [Professional IT Security Providers -Exposed] ... to do what the client will pay him for. ... exactly a vulnerability assessment is... ... PlanNetGroup yet. ...
    (Full-Disclosure)
  • RE: Vulnerability Assessment vs. PenTest
    ... Security Assessment ... ... Subject: Vulnerability Assessment vs. PenTest ... Download FREE whitepaper on how a managed service can help ...
    (Pen-Test)
  • RE: Security Audit
    ... Subject: Security Audit ... A penetration test just looks to see if a system has a single weakness that ... A vulnerability assessment would entail a detailed analysis of the system, ... For more information on SecurityFocus' SIA service which ...
    (Pen-Test)
Quantcast