It is interesting how views differ on this topic. From my experience (the company I work for has been providing penetration test services for 6 years and also has commercial software offering for the practice) almost all our PT engagements included actual exploitation of vulnerabilities and further escalation of priviledges and trust relationships to go deeper into internal networks. The essential concept about a pentest is that it tries to replicate a real attack to assess the security posture of the tested organization, to understand its risks and possible outcome of a real world attack. It is really hard to achieve that goal if the tester stops at the first suspected vulnerabilities found from the outside and does not actually exploit them. That would be no different than running a bunch of vuln scanners against public servers and glueing together their output into something called 'final report'. I firmly belive that a professional penetration test is ALOT more than that. A penetration test should try to go a deep as possible into the tested organization given the predefined goals and time and scope constrains. However, as many pointed out, it is not a comprehensive assessment and will not enumerate all existing vulnerabilities in a given infrastructure. Vulnerability scanning on the other hand takes a breath first approach and tries to reveal all *known* vulnerabilities in all tested assets. This is a quite usefull approach for periodic scanning and general remediation of detected vulnerabilities. Scanning will reveal known bugs and tell out to fix them, but it will NOT (no matter what the fancy reports say) explain what is the real impact of those vulnerabilities since at its very nature a vuln scanner's output is just an enumeration of bugs and their associated fixes. The automatic addition of a "risk level" factor in scanner's reports does not relate to actual risk in a particular infrastructe since it does not take into account the organization's business processes and procedues and does not correlate all found vulnerabilities to undestand more than simplistic trust relationships and configuration errors. The real value of penetration testing and vulnerability scanning will become more evident only if all stakeholders in those processes have a clear understanding of their limitations. -ivan Bennett Todd wrote: > Penetration Testing and Vulnerability Scanning are areas with a lot > of overlap. The difference between the two is less in the exact menu > of tools used, and more the context and application. > > In whitehat applications the two categories differ more in who is > doing it, where, and why, and what surrounding activities they > perform, and less on exactly what the heart of scan does. > > Penetration Testing I've most often seen used to describe an > external vulnerability assessment. The customer will negotiate a > contract with the provider, and very often (at least every case I've > been involved with:-) the contract will completely prohibit > exploitation of holes found, acknowleging that without that > exploitation the pentester can not guarantee that some additional > protection behind the facade might have actually prevented the > successful exploitation of the found hole. Pen-testing is routinely > performed from the internet at the outside perimeter of the target, > and the negotiated contract has terms limiting what will be > attempted --- no DoS, no exploitation, only during agreed-on time > windows, only from IP addrs which have been announced to the target > before the scan begins, that sort of thing. > > Vunerability Scanning I've seen as a task normally carried out by > security engineers within the organization; they may use open source > components, homebrew tools, commercial proprietary products, or some > mix of the lot, but the emphasis is on periodic scanning of the > whole net --- with emphasis on the inside net, behind the firewall > --- to find config errors and rogue machines and the like. I could > see a vulnscanning plan that included use of exploitation to > followup and confirm that claimed found vulns are in fact > exploitable. > > -Bennett --- for a personal reply use: ivan.arceat_private ---------------------------------------------------------------------------- Are your vulnerability scans producing just another report? Manage the entire remediation process with StillSecure VAM's Vulnerability Repair Workflow. Download a free 15-day trial: http://www2.stillsecure.com/download/sf_vuln_list.html
This archive was generated by hypermail 2b30 : Thu Mar 13 2003 - 13:39:23 PST