Thursday, May 28, 2009

Pentest/assessment scope

Discussing some dynamics of contemporary pentests with other security professionals indicated that clients may not be willing to expand their scope to include client-side testing. I wrote this to help communicate my thoughts on the matter. I am including web application assessment in this, but don't actually spell it out, perhaps I should. It's a lot to have to handle, to attempt to be good in all these areas.

I propose the combination of a traditional vulnerability assessment and a traditional penetration test plus a client-side penetration test in order to discover not only penetrable issues but also potential issues that may weaken security or be used in a staged attack. This includes the traditional vulnerability assessment process by using scanning tools and manual analysis to find potential issues across all of the attack surface in scope, plus the actual penetration or attempted penetration of any vulnerabilities found, combined with a client-side penetration test in order to reflect a modern real-world attack. A client-side penetration test involves targeting the end users, the software they use, the business processes they engage in, and any access they may already have. Technical vulnerabilities plus "social engineering" techniques are used to more closely match the real risks posed by a modern attacker. A traditional penetration test only covers a portion of the attack surface and can lead to a false sense of security. The scope for such an assessment must be expanded to include attack surface that may lead towards the actual target. Real attacks on hardened targets usually proceed in stages and are rarely thrown directly at the hardened target which has been built to resist such techniques.


  1. it certainly makes that internal pentest make more sense when you can get the client to allow or at least understand the impact of client-side attacks.

  2. Chris, I agree. If the pentests lag behind the criminal attackers techniques, then where's the value? IMHO, pentesters should be AT LEAST equal in skill and technique to the most likely attackers against any given client. Ideally, pentesters would be a bit AHEAD of the curve.