Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Is Pentesting Goal Oriented, or Coverage Oriented?

From: Jerome Athias (jerome.athiasfree.fr)
Date: Mon Oct 05 2009 - 06:47:14 CDT

Le vendredi 02 octobre 2009 à 21:02 -0400, Daniel Miessler a écrit :
> Greetings List,
> I'm having a discussion with Johannes Ullrich via the SANS Application
> Security Streetfighter Blog on whether penetration testing is goal or
> coverage oriented.
> Johannes's position is that a pentest that attains a goal, e.g. root
> access or a database dump, and then stops is an incomplete and poor
> pentest. He believes a good pentester should continue finding as many
> vulnerabilities as he can.
I agree, that's what I call a Pentest.

> I hold the opposite view, which is that a penetration test is, by
> definition, focused on achieving a specific goal,
That's what I call "Writing a Report".

> and that if the aim
> of testing is to find as many vulnerabilities as possible the type of
> test you're performing is a vulnerability assessment.
That's what I call ""Launching Nessus"".
(* If you don't include a fuzzing process).

> Here are the original arguments:
> Johannes: http://blogs.sans.org/appsecstreetfighter/2009/09/30/pentesting-do-you-need-coverage/
> Me: http://blogs.sans.org/appsecstreetfighter/2009/10/03/response-pentesting-coverage/
> My Original: http://danielmiessler.com/blog/infosec-vulnerability-assessment-vs-penetration-test
> I'm curious as to what the list thinks of the two perspectives.
My 2 frog legs

> --
> Daniel R. Miessler
> W: http://danielmiessler.com
> E: danieldanielmiessler.com
> P: 0x4048712D

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.