Penetration Testing mailing list archives
RE: Limited vs full blown testing
From: "Thompson, Jimi" <JimiT () mail cox smu edu>
Date: Thu, 24 Jun 2004 17:00:55 -0500
<SNIP> First of all, most people seem to confuse auditing, vulnerability testing and penetration testing. Even within discussions here, there doesn't seem to be a clear definition amongst the tribe as to what does what. </SNIP> <SNIP> Penetration testing is the act of penetrating a system. Breaking into it using what ever tools are available. Not some proprietary software. That's bogus. </SNIP> This is all too true. From my perspective, unless you have a "trophy" for me to hack in and retrieve, it's not a penetration test. While my doing a scan of your network may be one activity that I carry out as part of the pen test, but it, on its own, doesn't qualify as a penetration test. Looking for vulnerable systems or applications, alone, doesn't cut it either. This is something that I might do as part of my attempt to penetrate your security, but unless the attempt to actually penetrate is made IT ISN'T A PEN TEST! Pen testing involves discovering and _attempting to exploit_ issues like (my favorite) poorly configured proxies in order to gain unauthorized access to systems and/or their contents. Just discovering the issue doesn't necessarily involve an attempt at penetration and should not be labeled a pen test. It's misleading, especially to the "suits" mentioned in a previous email. What most of the discussions in this group seem to focus on are more correctly labeled as vulnerability assessments and audits. Each of these has a valid and well deserved place in security methodology, but they aren't a pen test anymore than my Chihuahua is a wolf. Sure they both have four legs and wet nose, but I'd lots rather meet the Chihuahua in dark forest! 2 cents, Jimi
Current thread:
- Re: Limited vs full blown testing, (continued)
- Re: Limited vs full blown testing R. DuFresne (Jun 24)
- RE: Limited vs full blown testing Jerry Shenk (Jun 27)
- RE: Limited vs full blown testing R. DuFresne (Jun 27)
- Re: Limited vs full blown testing R. DuFresne (Jun 24)
- Re: Limited vs full blown testing Martin Mačok (Jun 25)
- RE: Limited vs full blown testing Markowsky, Tyler (Jun 27)
- RE: Limited vs full blown testing Bénoni MARTIN (Jun 24)
- RE: Limited vs full blown testing Martin Murray-Brown (Jun 24)
- Re: Limited vs full blown testing El C0chin0 (Jun 24)
- IE caching issue jatkinson (Jun 27)
- Re: IE caching issue Daniel Staal (Jun 28)
- IE caching issue jatkinson (Jun 27)
- RE: Limited vs full blown testing Thompson, Jimi (Jun 27)
- RE: Limited vs full blown testing Wayne Wooley (Jun 27)
- RE: Limited vs full blown testing R. DuFresne (Jun 27)
- RE: Limited vs full blown testing Alan Davies (Jun 27)
- RE: Limited vs full blown testing Martin Murray-Brown (Jun 28)