From: Woody Weaver (woody.weaver@callisma.com)
Date: Tue Jun 18 2002 - 16:59:01 EDT
On Monday, June 17, 2002 8:33 AM, Javier Fernandez-Sanguino Pena wrote:
(DP = David Polombo, MT = Mark Tinberg)
DP> I tend to separate this into three different categories :
JF> I have a different view myself (see below)
DP> - the pen-test is all about getting in, as Mark said. Indeed, its very
DP> name implies that the main purpose is to find _a_ hole, and not _all_
DP> holes, the point (or one of the points, depending on the particulars)
(...)
JF> A penetration test is not useful for the client if you just report
JF>a single hole and they close it. If you want to do a real penetration
test
JF>it should be broad in scope, i.e., detect _all_ holes that could be used
JF>to gain entrance and get in.
(...)
I think it is unfortunate that people don't use the language in RFC2828:
$ penetration test
(I) A system test, often part of system certification, in which
evaluators attempt to circumvent the security features of the
system. [NCS04]
(C) Penetration testing may be performed under various constraints
and conditions. However, for a TCSEC evaluation, testers are
assumed to have all system design and implementation
documentation, including source code, manuals, and circuit
diagrams, and to work under no greater constraints than those
applied to ordinary users.
Under that definition, which is I think consistent with David Polombo (and
Mark Tinberg), a penetration test is an attempt to violate the security
features of a system. It suceeds if the security policy can be violated;
what it tells the client is that their enforcement mechanisms are not
sufficient (given the resources of the pen test team).
A pen test is of little use to a client, unless they are looking for system
certification. It is not about finding a hole (or multiple holes) -- it
means that you aren't done preparing the system. Marketing often tries to
sell vulnerability assessments (perhaps with some pen test flavors) because
"pen test" is sexy, and people are ignorant.
A vulnerability assessment has no sharp definition (there are some things in
the common criteria). However, I would think it is a comparison against an
existing security policy (aka a security audit) or comparison against "best
practices"; and it would provide a list of non-compliant elements or a list
of known vulnerabities, together with remediation steps.
--woody
-- Field Practice Lead, Security pager: 8779583393@skytel.net Callisma email: woody.weaver@callisma.com 1320 Old Chain Bridge Road cell: 301 524 8138 McLean, VA 22101 office: 301 473 7320 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:22 EDT