Thanks to everyone who replied to my question. I'm looking to start a security consulting practice and this has been very helpful. It seems like the bulk of the job is checking for and possibly exploiting known vulnerabilites. Although I'm sure I will end up doing plenty of this, I'm more interested in auditing architecture/implementation and attempting to exploit currently unknown problems. Is the market ready for someone to offer this type of service? For example, will the market pay for a consultant to come in and test a web site for cross-site scripting problems? Use of dangerous server side objects (I'm thinking COM objects in ASP script)? Evaluate corporate browser or mail client deployments? This type of analysis would have to be far more expensive because it would take considerable expertise and possibly large amounts of time. It sounds like a pen test could sometimes include this type of activity. thanks, TR ----- Original Message ----- From: "Bill Pennington" <billpat_private> To: "Todd Ransom" <transomat_private> Cc: <pen-testat_private> Sent: Thursday, September 06, 2001 11:31 AM Subject: Re: Security Audit > Todd Ransom wrote: > > > What is the difference between vuln assessment and pen test? > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 10:26:14 PDT