HEY Infosec Mastodon! Wanna help me out?
I'm looking for screenshotable quotes about pentesting. Wanna respond to any of these questions? If you do you may be included in my next talk!
What's the biggest pitfall a pentester can make?
What makes a good pentest?
What makes a bad test?
Vuln scan versus pentest - which one is "better"?
Or just whatever you want. I will include any memes I get, so reply away.
Boosts help :)
@dnsprincess “vuln scan vs pen test — which is better?”
a vuln scan is taking your temperature. a pen test is an annual physical. quick and cheap checks for common illnesses are good and you should do them, but it’s the more expensive, thorough stuff that turns up the illness that will slowly kill you
@dnsprincess The report is the most important output from any pen test, but frequently, the most rushed part of the whole thing.
The customer, or another pen tester, should be able to take a pen test report, and recreate the findings in it exactly as written - just like any other scientific testing document.
@dnsprincess A bad pentest is the “checklist item” where there are strict guidelines about what’s in scope and what’s not. A good pentest has no limits. Attackers, REAL attackers, cheat. They don’t follow rules or guidelines, so if you are truly wanting to test to see what a real attacker can do, impose no limits. If you want to pass some audit that involves an accounting type firm doing an assessment with an off-the-shelf scanner, impose those non-realistic limits.
@dnsprincess I am not a pentester, but I do work SecOps. In my limited experience I think bad documentation of scope, methodology, procedures or results is one of the biggest pitfalls.
Vulnerability scan is different than pentest (although usually a part of it), so one is not better than the other. Vulnerability scans should be part of the scheduled routines, right after patching. Pentests should be done regularly but not as often (cost and resources being the main reason).
Add comment