Johannes Ullrich and Daniel Miessler has been debating on the definitions of a vulnerability assessment and penetration test. You can read the blog posts here: Johannes vs Daniel.
I have always considered a pentest as achieving a set goal by the client, which is what Daniel also thinks, whether it is breaking into the main financial database or the CIO's workstation. It could even be as simple as gaining access to the company's internal network, because from there the attacker would have time to penetrate further.
Johannes on the other hand thinks that a pentest should take everything into account, exploit all the possible avenues just to be thorough and present the client with all the possibilities that can be used to infiltrate the network. This would be a very time consuming task and would/should be more easily detectable, which is something working against a penetration test. You do not want to be detected, else you have failed.
There is a catch that should be thought of: Johannes talks about webapps in his blog post. Perhaps he forgot to specify what kind of target he is talking about?
I view vulnerability assessment as an automated task, you set a specific IP range and try to find known vulnerabilities in the operating systems, listening services and configurations. A web application is built on top of all this. A vulnerability assessment is just for that, finding vulnerable versions of software.
My point of view in this is that web application assessment is different from vulnerability assessment and is really a grey area. When you find something, you can either weaponize it to prove a point or simply mark the finding as a potential problem and move on with the assessment. The more you have time, the more you can weaponize or "proof of concept" the finding. For a web application assessment you can use automated tools to ensure proper coverage for the technical vulnerabilites.
So, when talking about webapps, you're basically doing a penetration test against it but usually stop half-way because you need to cover as much of the application as possible in a given timeframe. You do not really care about the noise you make, and usually you have information available that classifies this as a white box assessment.
Makes sense, huh?
0 comments:
Post a Comment