A Model for Peer Vulnerability Assessment
This paper proposes a model for ongoing assessment to be performed by the system administrators that includes testing and assessment in a non-threatening environment that provides added value of education for those performing the assessments. We will first examine existing
methods of assessment, make the case for a peer assessment, explore the goals and benefits of a peer assessment, and outline a generic assessment
model. Source: SANS.org (December 17, 2001)
Fortifying Your Security Arsenal
Penetration testing is valuable for
reality-checking your security procedures. But
finding the right company to perform a penetration
test isn't easy, and you have to work closely with
the individual or company that performs the
testing. Source: Network Magazine
Vulnerability Testing Terminology
Several glossaries are available from different
fields of expertice on the software engineering
and information security. Yet, terminology used in
the context of implementation level
vulnerabilities has not stabilised.
This document collects the relevant definitions
from our main areas of interest.
introduced with reference to the source. When
multiple sources present the same details on a
term, only one is usually noted. An attempt is
made to preserve the form of definition used in
the original source.
The glossary with
original wording and reference details has been
found useful within the group, thus we are making
it publicly available herein.
Please do not refer to this glossary, the original
source is preferred. Source: University of Oulu
Guidelines for Developing Penetration ©Rules of Behavior?
Regardless of the reason that draws the target organization to engage a ©tiger team? to simulate hacker network attacks, the penetration testing organization has many challenges in interpreting
and delivering on the client©s requirements. Clearly, understanding the target organization's expectations is the most critical part of planning and implementing the penetration test. The
penetration ©rules of behavior? document serves an important role in formalizing the results of the planning phase for the penetration test.
Source: SANS.org August 14, 2001)
Penetration Testing © Is it right for you?
The process of performing a penetration test is to verify that
new and existing applications, networks and systems are not vulnerable to a security risk that
could allow unauthorized access to resources. This paper will review the steps involved in preparing
for and performing a penetration test. The intended audience for this paper is project
directors or managers who might be considering having a penetration test performed. The process
of performing a penetration test is complex. Each company must determine if the process is
appropriate for them. Source: SANS.org (March 20, 2002)
The Third Party Hacker
Companies expect third party vendors who perform penetration testing to be very honest with them,
but this has proven not to be the case in every instance. Moreover, the risks associated with use
of third-party testing organizations are somewhat different from those associated with the usual
issues of penetration of the system from outside. This presentation is intended to help management
make the right choice when outsourcing penetration testing. Source: SANS.org (February 11,
What to demand from penetration testers
Any organization contemplating a penetration test should understand the serious issues surrounding
the decision. The people championing the penetration test should also analyze their reasons
for doing so; the introspection may be enlightening. Source: gocsi.com
Your First Penetration Test
Having an independent accounting firm perform a thorough audit of your organization©s financial records is customary; in fact, for a publicly held company, it?s required. In today?s connected society, it's equally important to conduct independent testing to assure that your organization's security policies adequately cover your assets (ahem) and are correctly implemented in your security systems. A penetration test or security audit provides an assessment of the vulnerabilities in
your security. Moreover, a well-conducted penetration test, performed by a competent organization, will help you determine whether your
operational practices, equipment, and policies are up to the task.