RE: Limited vs full blown testing

["Thompson, Jimi" <JimiT () mail cox smu edu>]

<SNIP>
First of all, most people seem to confuse auditing, vulnerability
testing and penetration testing.  Even within discussions here, there
doesn't seem to be a clear  definition amongst the tribe as to what does
what.
</SNIP>

<SNIP>
Penetration testing is the act of penetrating a system.  Breaking into
it using what ever tools are available.  Not some proprietary software.
That's bogus.
</SNIP>

This is all too true.  From my perspective, unless you have a "trophy"
for me to hack in and retrieve, it's not a penetration test.  While my
doing a scan of your network may be one activity that I carry out as
part of the pen test, but it, on its own, doesn't qualify as a
penetration test.  Looking for vulnerable systems or applications,
alone, doesn't cut it either.  This is something that I might do as part
of my attempt to penetrate your security, but unless the attempt to
actually penetrate is made IT ISN'T A PEN TEST!

Pen testing involves discovering and _attempting to exploit_ issues like
(my favorite) poorly configured proxies in order to gain unauthorized
access to systems and/or their contents.  Just discovering the issue
doesn't necessarily involve an attempt at penetration and should not be
labeled a pen test.  It's misleading, especially to the "suits"
mentioned in a previous email.  

What most of the discussions in this group seem to focus on are more
correctly labeled as vulnerability assessments and audits.  Each of
these has a valid and well deserved place in security methodology, but
they aren't a pen test anymore than my Chihuahua is a wolf.  Sure they
both have four legs and wet nose, but I'd lots rather meet the Chihuahua
in dark forest!

2 cents,

Jimi