Anyone claiming that their pen test, vuln assessment, or security audit consists merely of running nessus and or nmap and producing a reporrt and final results is a charleton, and does the security industry a dis-service. Yet, I have seen, in practice, both outside consultants, hired guns from the outside and supposedly 'trained' professionls <CISSP!> within the corporate sector do merely this and stamp "certified secure" across organizations. A "test, assessment, or audit" are more akin to remodeling, then ne home building and remodeling, having done lots of it over time, I can safely state, is -=dirty work=-. When you rip open a wall, one is sometimes amazed, as well as disenheartened at what they find behind the sheetrock and plaster. Thanks, Ron DuFresne On Wed, 5 Sep 2001, Todd Ransom wrote: > > A good estimate of time for a "Once Over" breaks down like this: > > > > Vulnerability Assessment: > > 20 minutes per host > > > > Penetration Test: > > 1 Hour per host > > What is the difference between vuln assessment and pen test? > > I have not done either but this seems like a highly subjective area to me. > Are you really going to do a vuln assess on a dynamic web site - with all > its custom scripts and database connectivity and possibly middleware - in 20 > minutes? It sounds like a vuln assess consists of running Nessus or > something similar, searching bugtraq archives and possibly throwing in a > google search for extra credit. > > Even on a workstation it seems like you couldn't get much done in 20 > minutes. I don't even see how you could reliably enumerate all the > installed software in less than 20 minutes. > > TR > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 10:53:25 PDT