Re: Why Penetration Test?

[Terry Vernon <tvernon24 () comcast net>]

Having pen-tested for two different security companies, ShopIP and then 
Defensive Thinking, the ideal would be a consultant who can do the 
audit, run every exploit they find in the wild that applies against the 
publicly available services they have. Keep track of which ones worked 
and which ones didn't. That's the start. Your average pen tester stops 
there. The ideal pen-tester would continue to try to bypass the firewall 
and if he/she finds an exploit, use that exploit to try and penetrate 
the network even deeper and deeper. Don't forget, under a proper 
contract with a written NDA the pentester has free resign of the network 
only limited to not destroying data and preferably not disrupting 
service to customers, but they need to know if they are vulnerable to DoS.

After that the pen-tester should write up a very detailed report on 
every single thing they found and how they found it and under what 
circumstances have to be there for it to be a problem. I used to write 
two reports, one for IT and one for management that was simplified for 
non-tech people.

Terry Vernon
Sprite Technologies


tarunthenut () gmail com wrote:

> I was wondering the usefulness of a penetration testing against vulnerability assessment for a company. 
>
> Scenario A
> Cosultant "A  is employed to perform a vulnerability assessment and the result is tabulated based on the business risk 
> these vulnerabilities pose.
>
> Scenario B
> Cosultant "B is employed to perform a Penetration Test, discovers 10 vulnerabilities and is able to show exploit of 5 
> vulnerabilities.
>
> Scenario C
> Cosultant "C" is employed to perform a Penetration Test, discovers 10 vulnerabilities and is able to show exploit of 7 
> vulnerabilities.
>
> Which scenario would have more usefulness to the company? it is ovbious that the result of a PT would depend and vary from skill of a consultant to another? 
>
>