ST1114 Posted April 22, 2014 Share Posted April 22, 2014 I am currently working on a research project and was told about a study that had two penetration tests on the same network and found that their individual findings only overlapped by roughly 25%--AKA they only find 25% of the same vulnerabilities. I was told that this was a study done by Microsoft but have searched high and low and been unable to find it. I was hoping someone else may have some information or know where to find this report or any reports with similar findings. Quote Link to comment Share on other sites More sharing options...
cooper Posted April 22, 2014 Share Posted April 22, 2014 I don't know of it but I'm not surprised. Audits are time-constrained. If the system was audited and where necessary fixed a year or so ago, the auditor can do a quick automated test for the common stuff (and that 25% is probably the newly discovered but unpatched on this server instance stuff) the rest is the auditor doing his thing, focussing on that which he or she knows best. If you get two auditors who specialise in different subjects within the security context, it's not unexpected to see little overlap in the remainder of the problems found. Quote Link to comment Share on other sites More sharing options...
Karit Posted April 23, 2014 Share Posted April 23, 2014 That is why you should regularly change your PenTesting firms. Each firm has its different processes, methodologies, skill sets etc so good to swap the companies as they will all find different things. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.