What is Pentesting, Vulnerability Scanning, which one do you need?

I get very often asked about these two concepts and I noticed that there is a lot of unclarity around these topics. At the end, I will tell you my own opinion and give you some advices.   Vulnerability scan Also known as Vulnerability Assessment, looks for known vulnerabilities in your systems and reports potential exposures. Vulnerability assessments are performed by using an off-the-shelf software package, such as Nessus or OpenVas to scan an IP address or range of IP addresses for known vulnerabilities. For example, the software has signatures for the Heartbleed bug or missing Apache web server patches and will alert if found. The software then produces a report that lists out found vulnerabilities and (depending on the software and options selected) will give an indication of the severity of the vulnerability and basic remediation steps. It’s important to keep in mind that these scanners use a list of known vulnerabilities, meaning they are already known to the security community, hackers and the software vendors. There are vulnerabilities that are unknown to the public at large and these scanners will not find them.   Penetration test (aka “pentest”) Designed to actually exploit weaknesses in the architecture of your…

No Image

The AMTSO debate

Since I heard the first time about AMTSO (Anti Malware Testing Standards Organization), in one of the VB Conferences (I think two years ago), I asked myself whether or not this association makes sense. I’ve heard later on that Avira is also part of it. But, I simply forgot about this issue. I recently started to hear a lot of noise about this issue, saying that AMTSO represents only the interests of the AV Industry and not those of the user getting infected. I don’t have yet an opinion, but as soon as I have one, I’ll post it 😉 Here are links with PROs and CONs arguments: PROs: Joint Blog By amtso http://www.avertlabs.com/research/blog/index.php/2010/07/07/testing-and-accountability/ http://community.norton.com/t5/Norton-Protection-Blog/Testing-and-Accountability/ba-p/247711 http://www.securelist.com/en/blog?weblogid=2224 http://pandalabs.pandasecurity.com/testing-and-accountability/ http://www.eset.com/blog/2010/07/07/testing-and-accountability A related blog was published on the AVIEN blog CONs: The AMTSO Melee Anti Malware Testing Standards Organization: a dissenting view AMTSO: a serious attempt to clean up anti-malware testing; or just a great big con? (please read the discussion thread there !!!)

%d bloggers like this: