Hi Todd, You bring up some very good questions: :-) When I say vulnerability assessment, I should have added "Automated" to the beginning. > What is the difference between vuln assessment and pen test? IMHO: It's a fine line between assessing possible access points and entering access points. > I have not done either but this seems like a highly subjective area to me. Agreed > Are you really going to do a vuln assess on a dynamic web site - with all > its custom scripts and database connectivity and possibly middleware - in 20 > minutes? I mentioned "Once Over" for a reason. :P This is just a base to work from. Some customers want a view of 30,000 feet, some want a 100 feet. > It sounds like a vuln assess consists of running Nessus or > something similar, searching bugtraq archives and possibly throwing in a > google search for extra credit. Yes, that is basically one way you can accomplish it. Nessus is a great tool when used properly can accomplish wonderful things. (Baby Sit Children, Leap Tall Buildings, etc :-P ) Although, I wouldn't recommend giving customers canned nessus reports. ;-) > Even on a workstation it seems like you couldn't get much done in 20 > minutes. I don't even see how you could reliably enumerate all the > installed software in less than 20 minutes. Are you going to really enumerate all installed software without penetrating the computer? -Forrest ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 10:52:42 PDT