There’s been increasing debate online and in the cybersecurity sector recently over both the future and current utility of penetration testing.
Some experts suggest that in its current form penetration testing is something of a waste of time whereas others believe that it remains a vital tool in ensuring effective cybersecurity.
Both arguments have some merit
Penetration tests, when properly scoped, highlight assets and functionality which can be abused by an attacker looking to gain access to an organization. However, poorly scoped penetration tests don’t always offer good value.
Often companies use penetration tests not because they genuinely want to test the security of their systems but rather as a way of appeasing an auditor or demonstrating compliance. If the motivation is simply to meet rigid compliance requirements, then the outcomes are often not useful.
Even worse, perhaps, some vendors appear to offer penetration testing but then charge a great deal of money to perform what is essentially a vulnerability & patch assessment scan using commercial off the shelf products. Then they take the report from the said product, re-badge it, and send it to a customer. Unhelpfully, this could tar all penetration testing companies, to whom such behavior is anathema, with the same negative brush.
Whilst just performing a vulnerability assessment does help as it can identify any low hanging fruit that could be a potentially easy attack surface for script kiddies or professional attackers to focus on.
It is, however, a far cry from proper penetration testing which looks to leverage the penetration testers years of experience and deviousness/cunning to use blended attacks to compromise the customer in a very similar way to how actual attacks may look to.
At the end of the engagement communicating the risk is one of the toughest challenges in both penetration testing and cybersecurity in general: how do we make the message intelligible to the recipient, especially if they don’t have a cyber background (as is the case for many decision-makers).
Traditional pen-testing and vulnerability scanning can fall into this category — often the results of penetration tests are complex and potentially convoluted that the customer doesn’t derive the full benefit from them.
So, what’s the future for penetration testing likely to be?
If asked we would wager that most penetration testers would prefer to focus on the things that really matter, simulating realistic threats, rather than be bogged down by time-consuming vulnerability assessment-related tasks.