Jeremiah Grossman: The difference between Security Assessments and Penetration Tests
Interesting post from Jeremiah Grossman on the differences between security assessments and Penetration Tests.
He's pretty much captured all the salient points and it's well worth reading as it's a pretty common point of confusion (even amongst general InfoSec people)
One thing that strikes me about it, is it leads to the question "When would I want a penetration test then?". The answer seems to me to be "only when you're pretty confident that it won't find anything!"
The reason for this is that until everything is locked down and sorted you should be doing security assessment style reviews which try to find all the available security weaknesses and only when you're comfortable that it should all be right do you engage with a penetration testing team to try that black box "try and break in" approach.
The other point would be, if you can only afford to have one type of review done, a penetration test probably isn't a good idea, in that whilst it will prove if you can be broken into (at a given point in time by a given person), there's still the likelihood that there are other ways of breaking in that haven't been found as the penetration tester probably won't keep looking once they're in...