42 is a good answer!
Pen-testing should probably always expect penetration if you can include social
engineering, physical proximity, or internal access presence (insider, soft
chewy interior, user/admin access,configs access, etc). But a purely external
pen-test is a different ballgame.
Your measure of success is going to include the important variable of how much
of an Internet footprint your client has. A large footprint may offer some
holes, but a small footprint with 3 patched and configured services hiding
behind a decent firewall may not offer you much to do at all. I wouldn't be
surprised to see pen testers not break into setups like that.
This also changes if you're speaking about application pen testing instead of
network pen testing. The size and security of the web application will dictate
your success rates. You might not find anything in a small web site except
perhaps some XSS or low-lying, non-fatal bugs.
You should always go in hoping and expecting to find an opening since that is
what you're paid to do. But don't expect every external pen test to be a
success from that standpoint.
<- snip ->
From: James Kelly <macubergeek (at) comcast (dot) net [email concealed]>
Given this scenario: Red team pen test from the Internet with no
information or cooperation from IT staff.
What would be a reasonable success rate of breaking in to say at
least DMZ machines? Of internal hosts on private network?
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
