Penetration Testing mailing list archives
RE: Security Audit
From: "Filer, Eddie (ZA - Johannesburg)" <efiler () deloitte co za>
Date: Thu, 6 Sep 2001 09:14:30 +0200
Hi My opinion is that a vulnerability assessment entails far more than a penetration test. A penetration test just looks to see if a system has a single weakness that can be exploited to compromise the system from internally and/or externally. A vulnerability assessment would entail a detailed analysis of the system, including, but not limited to a nessus scan. We would normally quote approximately 8 hours for an individual system and this would be scaled down for additional systems due to the ability to script scans etc. Our normal vulnerability assessment process would be: 1. Research and Planning (Check latest vulnerabilities and exploits etc) 2. Run tools (not just nessus) 3. Verify findings of tools (eliminate false positives) 4. Write detailed report indicating findings, impact and recommendations. Hope this helps. Kind Regards, Eddie Filer Senior Consultant Deloitte & Touche Enterprise Risk Services Information Security Services PLEASE NOTE: This e-mail message and its attachments is subject to the disclaimers as published at: <http://www.deloitte.co.za/disc.htm#emaildisc>> -----Original Message----- From: Todd Ransom [mailto:transom () extremelogic com] Sent: 05 September 2001 07:12 To: pen-test () securityfocus com Subject: Re: Security Audit
A good estimate of time for a "Once Over" breaks down like this: Vulnerability Assessment: 20 minutes per host Penetration Test: 1 Hour per host
What is the difference between vuln assessment and pen test? I have not done either but this seems like a highly subjective area to me. Are you really going to do a vuln assess on a dynamic web site - with all its custom scripts and database connectivity and possibly middleware - in 20 minutes? It sounds like a vuln assess consists of running Nessus or something similar, searching bugtraq archives and possibly throwing in a google search for extra credit. Even on a workstation it seems like you couldn't get much done in 20 minutes. I don't even see how you could reliably enumerate all the installed software in less than 20 minutes. TR ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Re: Security Audit, (continued)
- Re: Security Audit R. DuFresne (Sep 06)
- Re: Security Audit Dave Wray (Sep 06)
- Re: Security Audit Jonathan Rickman (Sep 07)
- Re: Security Audit Philipp Buehler (Sep 06)
- Re: Security Audit bacano (Sep 06)
- Re: Security Audit bacano (Sep 05)
- Re: Security Audit JCovington (Sep 05)
- Re: Security Audit bacano (Sep 06)
- RE: Security Audit PM Systems - Rick Woehler (Sep 05)
- Re: Security Audit H Carvey (Sep 06)
- RE: Security Audit Filer, Eddie (ZA - Johannesburg) (Sep 06)
- RE: Security Audit Wertheimer, Ishai (Sep 06)
- Re: Security Audit Erik Tayler (Sep 06)
- Re: Security Audit Renaud Deraison (Sep 07)
- Re: Security Audit Justin Stanford (Sep 07)
- Re: Security Audit bacano (Sep 10)
- RE: Security Audit Roberts, Kevin S (Sep 06)
- RE: Security Audit Ogle Ron (Rennes) (Sep 06)
- Re: Security Audit bluefur0r bluefur0r (Sep 06)
- Re: Security Audit Rob J Meijer (Sep 07)
- RE: Security Audit Aleksander Czarnowski (Sep 07)