There are varied point of views on what constitutes a
Penetration Test versus a Vulnerability Assessment. The main difference,
however, seems to be that a Penetration Test involves diagnosing as many
vulnerabilities as possible. While some feel that Penetration Tests comprises
of identifying all the vulnerabilities, if possible, some others feel that
Penetration Tests are purpose oriented and are indifferent towards what other
vulnerabilities might exist.
I believe in the second theory and what follows are some
points, which makes my belief stronger.
Language Is Important
There are two reasons why we feel that language is
important. We have a security test for collecting the full list of vulnerabilities
and it is called Vulnerability Assessment. If there isn't a communicable and
clear distinction between this test and penetration testing then two separate
terms would not have existed. There is a distinction between the two types of
tests and it is a crucial one.
Explained Definitions
Vulnerability Assessments are formed to produce a planned
list of vulnerabilities and are meant for clients who understand that their IT
security is not fool-proof and they need to work on it. The customer knows that
they have issues and they just need help in identifying them.
The more problems identified the better, so a white box
approach should be adopted whenever possible. The output of this assessment is,
more importantly, a planned list of explored vulnerabilities.
Web application penetration testing services are
devised to accomplish a certain attacker simulated goal and should be done by
enterprises who have already achieved their desired security level. A typical
objective is to access crucial information in a customer database in the
internal network, or to correct a record in an HR system.
Exploitation through Penetration Tests
Another mistake while discussing penetration tests vs.
vulnerability assessments is to center around the point of exploitation. The
basic description is:
“Finding vulnerabilities is a vulnerability assessment,
and exploiting them is a penetration test.”
But this is not correct.
Exploitation can be thought of as a sliding bar between
nothing and a lot, which can be taken advantage of in both penetration tests as
well as vulnerability assessment. Although the more serious penetration tests
lean more towards showing rather than telling (which lead to exploitation),
it's also a situation where you can show that even without full exploitation a
vulnerability is real.
To Conclude
Vulnerability Assessment: It is usually requested by
customers who are aware that they have issues and need help in getting started.
The goal is to accomplish a planned list of vulnerabilities in an environment,
so that the solution can be found.
Penetration Tests: Requested by customers who believe
that their defenses are strong and want to test that theory. The goal is to
find out whether a security posture can stand an intrusion by an advanced attacker.
Read more Here http://www.avyaan.com/blog/understanding-social-engineering/
No comments:
Post a Comment