Jump to content

Looking for study that found 2 pen testers only ID 25% overlapping vulnerabilities


Recommended Posts

I am currently working on a research project and was told about a study that had two penetration tests on the same network and found that their individual findings only overlapped by roughly 25%--AKA they only find 25% of the same vulnerabilities. I was told that this was a study done by Microsoft but have searched high and low and been unable to find it. I was hoping someone else may have some information or know where to find this report or any reports with similar findings.

Link to comment
Share on other sites

I don't know of it but I'm not surprised. Audits are time-constrained. If the system was audited and where necessary fixed a year or so ago, the auditor can do a quick automated test for the common stuff (and that 25% is probably the newly discovered but unpatched on this server instance stuff) the rest is the auditor doing his thing, focussing on that which he or she knows best. If you get two auditors who specialise in different subjects within the security context, it's not unexpected to see little overlap in the remainder of the problems found.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...