Hi My opinion is that a vulnerability assessment entails far more than a penetration test. A penetration test just looks to see if a system has a single weakness that can be exploited to compromise the system from internally and/or externally. A vulnerability assessment would entail a detailed analysis of the system, including, but not limited to a nessus scan. We would normally quote approximately 8 hours for an individual system and this would be scaled down for additional systems due to the ability to script scans etc. Our normal vulnerability assessment process would be: 1. Research and Planning (Check latest vulnerabilities and exploits etc) 2. Run tools (not just nessus) 3. Verify findings of tools (eliminate false positives) 4. Write detailed report indicating findings, impact and recommendations. Hope this helps. Kind Regards, Eddie Filer Senior Consultant Deloitte & Touche Enterprise Risk Services Information Security Services PLEASE NOTE: This e-mail message and its attachments is subject to the disclaimers as published at: <http://www.deloitte.co.za/disc.htm#emaildisc>> -----Original Message----- From: Todd Ransom [mailto:transomat_private] Sent: 05 September 2001 07:12 To: pen-testat_private Subject: Re: Security Audit > A good estimate of time for a "Once Over" breaks down like this: > > Vulnerability Assessment: > 20 minutes per host > > Penetration Test: > 1 Hour per host What is the difference between vuln assessment and pen test? I have not done either but this seems like a highly subjective area to me. Are you really going to do a vuln assess on a dynamic web site - with all its custom scripts and database connectivity and possibly middleware - in 20 minutes? It sounds like a vuln assess consists of running Nessus or something similar, searching bugtraq archives and possibly throwing in a google search for extra credit. Even on a workstation it seems like you couldn't get much done in 20 minutes. I don't even see how you could reliably enumerate all the installed software in less than 20 minutes. TR ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 10:29:33 PDT