1

Possible Duplicate:
What is the difference between a penetration test and a vulnerability assessment?

When people talk about webapp security testing, do they usually mean vulnerability scanning or Penetration testing? or both?

My understanding is pen-test should include vulnerability scanning with the additional step exploitation, and it is a complete webapp security testing.

The vulnerability scanning usually done by the scanner, and do not include the exploitation step. After the vulnerability scanning is completed, then we can go further on the penetration testing, which can use different specific pen-test tools, or via manual process.

Please comment. Thanks!!

Community
  • 1
Ray
  • 11
  • 1
  • So it's not complete web app security testing. You need also to model the attack. For example, you need to model what you are dealing with, e.g. if the system is receiving updates and if you can offend this, if there is IPS, so you can bypass it. If there is someone watching the policy and if there someone watching the person watching the policy. Once you model the behaviour of the other system, you are ready to model the attack. Once you model the attack, you prepare the plan and offend the system the way that you attack the weak point. E.g. bad policies. – Andrew Smith Jun 28 '12 at 10:47

3 Answers3

1

In a penetration test, the limits and bounds of the test has to be defined beforehand. The company and the pen-tester has to agree on a set of test which can be carried out, with legal documents drawn up to protect both parties before the test is carried out.

For a detailed test, it should include the exploitation step to fully test the system. The penetration test should be carried out based on a specific methodology step by step to ensure that nothing is missed.

0

A penetration test includes multiple important aspects,

A) Before the penetration test, the Company(A) and the Company(P-T) have to define boundaries, what should be tested, what, how, where, when. Sometimes, the company(A) provide a testing laptop, with tools requested by the Penetration Tester. Legal documents are created, to ensure the safety of both companies.

B) Following the legal documents, and the type of penetration testing requested by the company(A), and the one offered by Company(P-T) the penetration tester is going to go step by step to find flaws in the system.

For example, a Penetration Tester might be asked to follow a specific methodology such as ISSAF or OWASP, OSSTMM, NIST following the requirements of Company(A). Some companies(P-T) also have their own and specific methodologies to work with.

Some companies might ask the penetration tester to exploit the vulnerabilities, while some other might only ask the penetration tester to advice possible vulnerabilities, it all depends on their needs. (Having the "exploit" step, is always better, but sometimes it should be avoided, in particular cases)

A penetration test should always be done by someone who knows what he his doing, often some companies try to replicate penetration tests and have problems because of their lack of knowledge (tools, impact etc), their should always be a legal document, an appropriate methodology, and in some cases a supervisor.

AdventN
  • 411
  • 2
  • 4
0

The speaker does not always know the difference between "vulnerability scanning" and "penetration testing" so it is often good to ask them exactly what they want/imagine.

chao-mu
  • 2,801
  • 18
  • 22