Comments on: Seven Deadly Pen Test Sins http://www.mikeandrews.com/2008/03/15/seven-deadly-pen-test-sins/ Fri, 09 Apr 2010 12:01:55 -0700 http://wordpress.org/?v=2.9.2 hourly 1 By: Mike http://www.mikeandrews.com/2008/03/15/seven-deadly-pen-test-sins/comment-page-1/#comment-81 Mike Wed, 19 Mar 2008 00:06:56 +0000 http://www.mikeandrews.com/2008/03/15/seven-deadly-pen-test-sins/#comment-81 Very good points Pieter. Pen testing certainly is testing exposure to a particular threat. The other thing to consider is that pen testing is often time-boxed, and also constrained in what areas are "in" and "out" of scope - both issues that hackers don't worry about. So, I would agree, making sure that you know the clients objectives (and helping them set resonable objectives as well I'd like to add) is critical in this process Very good points Pieter. Pen testing certainly is testing exposure to a particular threat. The other thing to consider is that pen testing is often time-boxed, and also constrained in what areas are “in” and “out” of scope – both issues that hackers don’t worry about.

So, I would agree, making sure that you know the clients objectives (and helping them set resonable objectives as well I’d like to add) is critical in this process

]]> By: Pieter Danhieux http://www.mikeandrews.com/2008/03/15/seven-deadly-pen-test-sins/comment-page-1/#comment-79 Pieter Danhieux Tue, 18 Mar 2008 11:31:54 +0000 http://www.mikeandrews.com/2008/03/15/seven-deadly-pen-test-sins/#comment-79 One thing which I am missing in both the lists, is actually the definition of the objectives of a penetration test. During my career, I have generally seen two objectives when testing apps or infrastructure: - awareness of people: whether it's awareness of the C-levels, or developers. This is in my opinion the only "valid" reasons to do a penetration test. Your technical results should "strike" developers, or definitly senior management. - testing the exposure against a certain threat: you have experienced penetration testers, you have trainee penetration testers, you have professional hackers and you have less professional hackers. Basically, in my opinion (again), I think that a penetration test is just simulating a certain threat and testing wether an information system is exposed to that threat (read: identification of vulnerabilities which can be found by a certain threat based upon his skills/competences/experiences). but NOT: - measuring the security, or estimation how "secure" an application is. This highly depends on the skills of your penetration tester, which is in fact only simulating a threat. So I think I would add a deadly sin, and make 8 out of it: "Not agreeing on the objectives with your client". regards, One thing which I am missing in both the lists, is actually the definition of the objectives of a penetration test. During my career, I have generally seen two objectives when testing apps or infrastructure:
- awareness of people: whether it’s awareness of the C-levels, or developers. This is in my opinion the only “valid” reasons to do a penetration test. Your technical results should “strike” developers, or definitly senior management.

- testing the exposure against a certain threat: you have experienced penetration testers, you have trainee penetration testers, you have professional hackers and you have less professional hackers. Basically, in my opinion (again), I think that a penetration test is just simulating a certain threat and testing wether an information system is exposed to that threat (read: identification of vulnerabilities which can be found by a certain threat based upon his skills/competences/experiences).

but NOT:
- measuring the security, or estimation how “secure” an application is. This highly depends on the skills of your penetration tester, which is in fact only simulating a threat.

So I think I would add a deadly sin, and make 8 out of it: “Not agreeing on the objectives with your client”.

regards,

]]> By: Jason Rakowski http://www.mikeandrews.com/2008/03/15/seven-deadly-pen-test-sins/comment-page-1/#comment-74 Jason Rakowski Sat, 15 Mar 2008 23:49:35 +0000 http://www.mikeandrews.com/2008/03/15/seven-deadly-pen-test-sins/#comment-74 Good Layout and design. I like your blog. I just added your RSS feed to my Google News Reader. . Jason Rakowski Good Layout and design. I like your blog. I just added your RSS feed to my Google News Reader. .

Jason Rakowski

]]>