Vulnerability Assessment and Penetration Testing

**arunsivadasan** · 06-20-2011, 05:22 PM

Hi guys,

A colleague recently asked me a question that left me stumped.

His client told him: 'we only need to do penetration testing and not vulnerability assessment. Since I am preventing threats coming in from outside using PT, I dont need to do VA.. Even if there are vulnerabilities inside, since no threat can come inside, I dont have to worry.'

I asked him convey the example of a virus spreading through an infected USB. Its able to spread havoc because internal vulnerabilities remain unaddressed.

Do you guys have any real life examples that can be used to convince his client?

**Anant Shrivastava** · 06-20-2011, 05:26 PM

just give to him a case study on how insiders are bigger threat then outsiders.

also vulnerability assessment is about things that do exist on the network... PT is about real life exploitation (was suppose to be)

If a team or group of people can't penetrate a vulnerability identified then that doesn't limit the danger's of vulnerability that just shows the limitation at the teams end.

hope this can help.

**b0nd** · 06-20-2011, 06:40 PM

The points here might help.

**Punter** · 06-20-2011, 08:51 PM

u should tel them really whats the insider threats can be also recent attacks happend on RSA ,google hackers targeted internal employees and then those impacts were high i think evry 1 knows that its like i have Firewall on my perimiter so it doesnt mean they r secure .

**acr0n** · 06-21-2011, 08:01 PM

I think Operation Aurora ( Google China hack) is the best example .. some good resources -- > http://www.cert.org/insider_threat/

**swatantra** · 06-23-2011, 10:54 PM

Pentest Vs Vulnerability Asssesment
One of the best article I ever read...

Good comparison!

http://www.tns.com/PenTestvsVScan.asp

Thread: Vulnerability Assessment and Penetration Testing

LinkBack

Thread Tools

Search Thread

Display