OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: R. DuFresne (dufresnesysinfo.com)
Date: Wed Sep 05 2001 - 14:12:05 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Anyone claiming that their pen test, vuln assessment, or security audit
    consists merely of running nessus and or nmap and producing a reporrt and
    final results is a charleton, and does the security industry a
    dis-service. Yet, I have seen, in practice, both outside consultants,
    hired guns from the outside and supposedly 'trained' professionls <CISSP!>
    within the corporate sector do merely this and stamp "certified secure"
    across organizations. A "test, assessment, or audit" are more akin to
    remodeling, then ne home building and remodeling, having done lots of it
    over time, I can safely state, is -=dirty work=-. When you rip open a
    wall, one is sometimes amazed, as well as disenheartened at what they find
    behind the sheetrock and plaster.

    Thanks,

    Ron DuFresne

    On Wed, 5 Sep 2001, Todd Ransom wrote:

    > > A good estimate of time for a "Once Over" breaks down like this:
    > >
    > > Vulnerability Assessment:
    > > 20 minutes per host
    > >
    > > Penetration Test:
    > > 1 Hour per host
    >
    > What is the difference between vuln assessment and pen test?
    >
    > I have not done either but this seems like a highly subjective area to me.
    > Are you really going to do a vuln assess on a dynamic web site - with all
    > its custom scripts and database connectivity and possibly middleware - in 20
    > minutes? It sounds like a vuln assess consists of running Nessus or
    > something similar, searching bugtraq archives and possibly throwing in a
    > google search for extra credit.
    >
    > Even on a workstation it seems like you couldn't get much done in 20
    > minutes. I don't even see how you could reliably enumerate all the
    > installed software in less than 20 minutes.
    >
    > TR
    >
    >
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
    > Service. For more information on SecurityFocus' SIA service which
    > automatically alerts you to the latest security vulnerabilities please see:
    > https://alerts.securityfocus.com/
    > 

    -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

    "Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

    testing, only testing, and damn good at it too!

    ----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/