Penetration Testing mailing list archives
Is Pentesting Goal Oriented, or Coverage Oriented?
From: Daniel Miessler <daniel () danielmiessler com>
Date: Fri, 2 Oct 2009 21:02:53 -0400
Greetings List,I'm having a discussion with Johannes Ullrich via the SANS Application Security Streetfighter Blog on whether penetration testing is goal or coverage oriented.
Johannes's position is that a pentest that attains a goal, e.g. root access or a database dump, and then stops is an incomplete and poor pentest. He believes a good pentester should continue finding as many vulnerabilities as he can.
I hold the opposite view, which is that a penetration test is, by definition, focused on achieving a specific goal, and that if the aim of testing is to find as many vulnerabilities as possible the type of test you're performing is a vulnerability assessment.
Here are the original arguments: Johannes: http://blogs.sans.org/appsecstreetfighter/2009/09/30/pentesting-do-you-need-coverage/ Me: http://blogs.sans.org/appsecstreetfighter/2009/10/03/response-pentesting-coverage/ My Original: http://danielmiessler.com/blog/infosec-vulnerability-assessment-vs-penetration-test I'm curious as to what the list thinks of the two perspectives. -- Daniel R. Miessler W: http://danielmiessler.com E: daniel () danielmiessler com P: 0x4048712D ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review BoardProve to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Is Pentesting Goal Oriented, or Coverage Oriented? Daniel Miessler (Oct 04)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Michal Zalewski (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Zack Payton (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Jerome Athias (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Ramki B Ramakrishnan (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Chris Griffin (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? David Howe (Oct 06)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Kevin L. Shaw, CISSP, GCIH (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Chris Brenton (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Marco Ivaldi (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Robin Wood (Oct 05)
(Thread continues...)