Goal Oriented Pentesting – Joshua “Jabra” Abraham
By Daniel Miessler on February 17th, 2010: Tagged as Information Security | Penetration Testing
Penetration testing is all about achieving goals and not about finding vulnerabilities.
Another one who gets it. I wrote about this a while back in my post, Vulnerability Assessments vs. Penetration Tests.
Many very smart people in infosec completely miss (my opinion) the point on this–including Johannes Ulrich, CTO of SANS. He thinks that the definition of a *poor* pentest is going after a single goal and not finding *ALL* the vulnerabilities.
My point, and presumably Joshua Abraham would agree, is that there is already a name for a test where you enumerate vulnerabilities. It’s called a vulnerability assessment.
Very simple: If you’re making a list of problems, it’s a vulnerability assessment; if you’re trying to exploit whatever you find in order to accomplish a specific goal, it’s a pentest.
Related Content
- Discussing the Difference Between a Vulnerability Assessment and a Penetration Test
- Web Vulnerability Assessment vs. Web Penetration Test
- Infosec: Vulnerability Assessment vs. Penetration Test
- Sandcat Penetration Testing Oriented Browser | The Hacker News (THN)
- Vulnerability Assessment Testing Automation | SANS