Penetration Testing mailing list archives
Re: Security Audit
From: Forrest Rae <forrest () code-lab com>
Date: Wed, 05 Sep 2001 14:52:15 -0500
Hi Todd, You bring up some very good questions: :-) When I say vulnerability assessment, I should have added "Automated" to the beginning.
What is the difference between vuln assessment and pen test?
IMHO: It's a fine line between assessing possible access points and entering access points.
I have not done either but this seems like a highly subjective area to me.
Agreed
Are you really going to do a vuln assess on a dynamic web site - with all its custom scripts and database connectivity and possibly middleware - in 20 minutes?
I mentioned "Once Over" for a reason. :P This is just a base to work from. Some customers want a view of 30,000 feet, some want a 100 feet.
It sounds like a vuln assess consists of running Nessus or something similar, searching bugtraq archives and possibly throwing in a google search for extra credit.
Yes, that is basically one way you can accomplish it. Nessus is a great tool when used properly can accomplish wonderful things. (Baby Sit Children, Leap Tall Buildings, etc :-P ) Although, I wouldn't recommend giving customers canned nessus reports. ;-)
Even on a workstation it seems like you couldn't get much done in 20 minutes. I don't even see how you could reliably enumerate all the installed software in less than 20 minutes.
Are you going to really enumerate all installed software without penetrating the computer? -Forrest ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Re: Security Audit H Carvey (Sep 04)
- <Possible follow-ups>
- RE: Security Audit Christopher Ray (Sep 04)
- RE: Security Audit Aleksander Czarnowski (Sep 04)
- Re: Security Audit Forrest Rae (Sep 05)
- Re: Security Audit Todd Ransom (Sep 05)
- Re: Security Audit Bill Pennington (Sep 06)
- Re: Security Audit Todd Ransom (Sep 06)
- RE: Security Audit Dom De Vitto (Sep 06)
- Re: Security Audit Forrest Rae (Sep 06)
- Re: Security Audit R. DuFresne (Sep 06)
- Re: Security Audit Todd Ransom (Sep 05)
- Re: Security Audit Dave Wray (Sep 06)
- Re: Security Audit Jonathan Rickman (Sep 07)
- Re: Security Audit Philipp Buehler (Sep 06)
- Re: Security Audit bacano (Sep 06)
- Re: Security Audit bacano (Sep 05)
- Re: Security Audit JCovington (Sep 05)
- Re: Security Audit bacano (Sep 06)
- RE: Security Audit PM Systems - Rick Woehler (Sep 05)
- Re: Security Audit H Carvey (Sep 06)