This topic contains 1 reply, has 2 voices, and was last updated by misconfig_exe 1 month ago.
- September 22, 2020 at 1:30 pm #310197
This is my second security company. In both the companies, VA meant just running a nessus scan. I understand the difference between VA and PT, but I don’t know where to draw the line.
So, please help me understand this. What does a proper VA consist of? What are all the tools and tactics I can use for it?
- September 22, 2020 at 1:30 pm #310198
Rule 4 and low effort
- September 22, 2020 at 1:30 pm #310199
As you have found, there is no formal definition for what entails a vuln assessment, or a pen test for that matter. Every company will determine it’s own methodology. Personally, I focus on scope, and what the client is concerned about. It makes more sense to spend more time on something specific, than to scan everything. I personally draw the line between a VA and a PT if you are actively trying to exploit something. A VA will just identify, but not validate. I personally think the firms that just run nessus on a VA are lazy, but probably cheap.
You must be logged in to reply to this topic.