From: rzaluski (rzaluski@ivolution.ca)
Date: Tue Dec 14 2004 - 20:17:34 EST
A good place to start is the OSSTMM.
You can locate it at : http://www.isecom.org/osstmm/
I'm sure you will get a lot of posts to this site from members of this list.
As for automated tools, they are valuable as part of a Pen Test but not a
replacement for it. People have different 'views' on what a VA is and what
a Pen Test is. They are not the same, in our Penetration Testing course we
teach the OSSTMM methodology which provides the security tester a very good
guideline in which to do the test.
Some people use part of the OSSTMM or all of it. Other companies use their
home grown methodology. The important thing is to have a methodology / plan
in place. An Audit can be something as simple as putting a checkmark beside
a column that says: Do you use SSL for web enabled Email? Yes - No?
A Penetration test actively interrogates the Target organization, its
presence, it has a set scope and what tests are to be run, when, where and
how. That's where the Methodology comes into play. The OSSTMM has
templates that help the security tester in this area. This allows things to
be covered off and not left out of a test.
A lot also depends on the scope of the project and costs associated. I Hope
that helps
Richard Zaluski, CCNA, CRCP
CISO, Security and Infrastructure Services
iVolution Technologies Incorporated
905.309.1911
866.601.4678
905.524.8450 (Pager)
www.ivolution.ca
rzaluski@ivolution.ca
-----Original Message-----
From: Adriel T. Desautels [mailto:atd@secnetops.com]
Sent: Tuesday, December 14, 2004 11:20 AM
To: pen-test@securityfocus.com
Subject: Penetration Testing Methodologies
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Greetings List,
I am interested in collecting ideas as to what people feel an ideal
penetration test is. What does the ideal methodology look like and
what are the goals? I am asking you this because I have been running
into interesting issues in certain markets. It would appear that some
people view penetration tests as nothing more then basic network
vulnerability audits while others view a penetration test for what it
is, a test designed to compromise target systems as PoC of
vulnerability.
How do people feel about the use of automated tools and the weights
of their results? What about manual or custom testing? We have our
own methodology that we use for testing our client networks, but I am
always interested in learning what else might be done. I'd be happy
to engage anyone in a conversation about this subject.
Regards,
Adriel T. Desautels
Secure Network Operations, Inc.
-----------------------------------------
Office: 978-263-3829 Cell: 978-697-2946
http://www.secnetops.com
CAUTION: The information contained in this mail message is
confidential and may be legally privileged. No confidentiality or
privilege is waived or lost by any mistransmission. If the reader of
this message is not the intended recipient, you are hereby notified
that any use, dissemination, or reproduction of this message is
prohibited. If you have received this message in error please notify
the sender immediately by email and destroy the original message.
Thank you
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
Comment: http://www.secnetops.com
iQA/AwUBQb8SQ7R5YB3MHZrzEQIs4QCgh/nnbznNp7MgI8lBTWQfCr+xlTkAn1yk
ZZu2wdM22W3VbqMr2HF2obEx
=DQTm
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:10 EDT