I was recently in a meeting with a potential customer and we were discussing their current vendors and what they provide in their Penetration Test. As I glanced over the reports I noticed that the service provided was purely a Vulnerability Assessment masquerading as a Penetration Test. The particular vendor in question had only conducted a port scan followed by listing possible vulnerabilities that exist for the service and operating system versions identified.
In my opinion I would barely even classify this as a Vulnerability Assessment. A Vulnerability Assessment Engagement from Security Brigade goes through the following phases:
- Pre-Assessment Analysis
- Information Gathering
- Port Scanning
- Enumeration
- Threat Profiling & Risk Identification
- Network Vulnerability Assessment
- Application Vulnerability Assessment
- Engagement Analysis
- Mitigation Strategies
- Report Generation
- Support
- Pre-Assessment Analysis
- Information Gathering
- Port Scanning
- Enumeration
- Social Engineering
- Threat Profiling & Risk Identification
- Network Vulnerability Assessment
- Application Vulnerability Assessment
- Exploit Research & Development
- Exploitation
- Privilege Escalation
- Retaining Access
- Network Propagation
- Engagement Analysis
- Mitigation Strategies
- Report Generation
- Support
I believe it is fairly important for Clients and especially Vendors in India to understand the difference and represent the two services in their traditionally accepted form. I believe this is a crucial step for Indian IT Security to take a step forward and providing real security to customers.
One of the white papers that I am currently working on specifically looks at the difference between Vulnerability Assessments and Penetration Tests with a focus on:
- What is covered by each service
- What factors should be considered while determining their requirements
- How a Client can determine their requirements
- Comparison of the benefits and draw-backs of both the services
- etc.
Posts
0 comments:
Post a Comment