Mark Tinberg wrote: > If I may respectfully disagree, a pen-test *is* about getting in, and is > distinct from an audit. To me (and this may just be a semantic > difference) an audit is a completely different animal where the auditors > spend several weeks/months on-site going over the client's procedures and > network equipment with a fine toothed comb, as well as interviewing the > admins. The report will contain things that should be tightened up as > well as places where the written policy differs from what is implemented > in the network hardware and where the admins differ from policy. It is > not something that can be done remotely, although it may involve a > pen-test for verification.
I tend to separate this into three different categories : - the pen-test is all about getting in, as Mark said. Indeed, its very name implies that the main purpose is to find _a_ hole, and not _all_ holes, the point (or one of the points, depending on the particulars) being that if an experienced team of pen-testers cannot break into the system, most hackers shouldn't either (note the "most", we all know there's no such thing as perfect security). - the vulnerability assessment is similar to the pen-test as far as the tools and methods are concerned, but aims at identifying _all_ vulnerabilities in a target platform. - the security audit is the full package, heavily relying on a formal methodology, including a complete analysis of the client's security policy and how it is applied, and so on. But, of course, that's just me, and as far as I know, there's no precise, widely accepted definition. -- Daniel Polombo Cartel Securite ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
