Re: Is Pentesting Goal Oriented, or Coverage Oriented?



Johannes's position is that a pentest that attains a goal, e.g. root
access or a database dump, and then stops is an incomplete and poor
pentest. He believes a good pentester should continue finding as
many vulnerabilities as he can.

I hold the opposite view, which is that a penetration test is, by
definition, focused on achieving a specific goal, and that if the
aim of testing is to find as many vulnerabilities as possible the
type of test you're performing is a vulnerability assessment.

Here are the original arguments:

Johannes: http://blogs.sans.org/appsecstreetfighter/2009/09/30/pentesting-do-you-need-coverage/
Me: http://blogs.sans.org/appsecstreetfighter/2009/10/03/response-pentesting-coverage/
My Original: http://danielmiessler.com/blog/infosec-vulnerability-assessment-vs-penetration-test

I'm curious as to what the list thinks of the two perspectives.


In my work, we see both vulnerability assessments and penetration
tests as providing a wide coverage, attempting to identify as many
vulnerabilities as possible. The difference between the two, is that
with a pentest, we also attempt to fully exploit serious
vulnerabilities to help customers prioritize their risk and to raise
awareness within the organization. I think our customers almost
always want breadth as a first prioity over depth.

Ultimately, either type of test is typically capped at some number of
hours, so there is always some limitation as to how wide or how deep
one can go, but that's the way we approach it.

tim

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



Relevant Pages

  • Re: Is Pentesting Goal Oriented, or Coverage Oriented?
    ... Johannes's position is that a pentest that attains a goal, e.g. root access or a database dump, and then stops is an incomplete and poor pentest. ... I hold the opposite view, which is that a penetration test is, by definition, focused on achieving a specific goal, and that if the aim of testing is to find as many vulnerabilities as possible the type of test you're performing is a vulnerability assessment. ... Information Assurance Certification Review Board ...
    (Pen-Test)
  • Re: Is Pentesting Goal Oriented, or Coverage Oriented?
    ... I agree that finding one point in and stopping is an incomplete test. ... believes a good pentester should continue finding as many vulnerabilities as ... I hold the opposite view, which is that a penetration test is, by ... Information Assurance Certification Review Board ...
    (Pen-Test)
  • Re: Choosing an Independent Penetration Testing Firm
    ... See if they have published advisories (your pentesters had vulnerabilities discovered by their researchers) in field that you're going to ask them. ... Information Assurance Certification Review Board ... Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. ...
    (Pen-Test)
  • Re: Is Pentesting Goal Oriented, or Coverage Oriented?
    ... and then stops is an incomplete and poor pentest. ... believes a good pentester should continue finding as many vulnerabilities as ... Other customers want to get a reasonably good coverage of their ...
    (Pen-Test)
  • Re: Converged Network Assessment
    ... The pentest looks promising, ... most horrible vulnerabilities as reported by SANS. ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
    (Pen-Test)