IMHO, a penetration test isn't complete unless it includes some of "A"
below.
While you may not, as a consultant, be able to determine what
vulnerabilities might impact the company the most (in terms of cost/ROI to
address) you should definitely give your client some idea of the probability
and impact that vulnerability being exploited.
Anyone with some passing familiarity can perform a nessus scan or similar
against a host and report the results (B & C below). However, the real skill
is in being able to prioritize the possible holes/vulnerabilities in such a
way that the client can make educated decisions on which to address and in
what order. While the raw data from B & C are useful, without some context
or basis for comparison the data is less useful.
At least, that's how I would approach it.
-Erin Carroll
"Do Not Taunt Happy-Fun Ball"
-----Original Message-----
From: tarunthenut@gmail.com [mailto:tarunthenut@gmail.com]
Sent: Wednesday, June 01, 2005 11:30 PM
To: pen-test@securityfocus.com
Subject: Why Penetration Test?
I was wondering the usefulness of a penetration testing
against vulnerability assessment for a company.
Scenario A
Cosultant "A is employed to perform a vulnerability
assessment and the result is tabulated based on the business
risk these vulnerabilities pose.
Scenario B
Cosultant "B is employed to perform a Penetration Test,
discovers 10 vulnerabilities and is able to show exploit of 5
vulnerabilities.
Scenario C
Cosultant "C" is employed to perform a Penetration Test,
discovers 10 vulnerabilities and is able to show exploit of 7
vulnerabilities.
Which scenario would have more usefulness to the company? it
is ovbious that the result of a PT would depend and vary from
skill of a consultant to another?
