RE: Vulnerability Assessment vs. PenTest

This thread sure went on a long time without covering
the second noun in the subject.

***Penetration Test***

"You don't need to penetrate to verify" is a tired,
lame excuse sold by insufficiently skilled or incompetent
testers for a "penetration test".

Marcus Ranum made better arguments against penetration
tests years ago, but they do not hold water any more
than equivocating about this discussion by asking "did
the bear soil the woods if no one heard him?" questions.

***Defect Detection***

Simply observe the world of manufacturing. Items requiring
rigorous levels of tolerance, say splines or blades
in a jet engine, undergo an array of defect detection
mechanisms, from liquid UV tests to hand inspection to
finally, spinning the assembled engine up and putting
it under load.

Explore and verify. You don't just audit the design or
analyze the documented process that the spline groover
follows, or her historical trend of consistently following
a documented process to create splines.

A penetration test is simply one verification mechanism
in the poorly defined toolkit we have at our disposal
to verify security posture.

A penetration test is analogous to spinning up the
engine and putting it under load.

***Not Defect Detection***

It ain't a pen test if no one tries to penetrate. There
is NO other definition here without playing rhetorical
games that best belong in a scanner marketing slick.
You DO NOT KNOW what is under the hood unless you check.

The bottom line is that "penetration not needed" is sold
as an excuse for lack of depth, ability, and knowledge.

***Don't confuse the Pen with the Tester***

There are technically skilled, but business and risk
myopic pen testers that cannot communicate or contextualize
technical results in a meaningful manner.

We aren't talking about that. We are talking about the
act of exploration & verification, which is essential.

Whilst CS Lewis-style equivocation is clever, there is
a sharp difference between penetration testing and any
other noun in related security assessment verbiage.

Whether or not the act of penetration is detected, stopped,
spoiled, soiled, or stymied, it is undertaking the actions
of exploration and verification that counts.

Anything else is...well...not "penetration testing", no
matter how rigorously you write about it.

Arian J. Evans

-----Original Message-----
From: StyleWar [mailto:stylewar@xxxxxxx]
Sent: Sunday, August 06, 2006 11:26 AM
To: sol@xxxxxxxxxxxxxxxxxxxxx
Cc: pen-test@xxxxxxxxxxxxxxxxx
Subject: RE: Vulnerability Assessment vs. PenTest

So - by your logic - if you bring a bangin sharp pen-tester
in, and he's
caught and his ingress methods are mitigated while still in
the footprinting
stage, that a pen-test did not actually occur... is that it? Or -- if
physical security is 'pen-tested' and the tester is caught in
the parking
lot without credentials... no pen test existed or occurred eh?

Quit trying to convince yourself of your own dogma and read for

Sol wrote:

In the hands of a good pen tester, a pen test does NOT
have to exploit
vulnerabilities in order to achieve its value proposition.

If there's no verification of the vulnerabilities using
exploits then it's
not a Penetration test. What part of >penetration don't you
Anything less is a Vulnerability assessment. Period.


This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

Relevant Pages

  • Re: Email Security - Pentesters take...
    ... I think any penetration tester knows that anything operating on SMTP ... My questions to you professional pen testers who offer external services: ... Where does email rank in sought after pen tests, ... Information Assurance Certification Review Board ...
  • RE: Limited vs full blown testing
    ... First of all, most people seem to confuse auditing, vulnerability ... Penetration testing is the act of penetrating a system. ... actually penetrate is made IT ISN'T A PEN TEST! ...
  • RE: Vulnerability vs. Pen test
    ... which better details what merchants can expect from a penetration ... Subject: Vulnerability vs. Pen test ... not much for the Windows and router/switches. ... InfoSec Institute ...