What's the point of "penetration testing"? - Following the White Rabbit Blog -
Following the White Rabbit Blog » What's the point of "penetration testing"?
What's the point of "penetration testing"?

    Over the last 8 years in IT Security, I've had at least a professional interest in the idea of penetration testing and the opinion of this service has evolved as the IT Security market niche matures and grows.  I wanted to take a minute to discuss it with the readers out there, and maybe solicit some opinions on the topic if you're willing to offer yours.  I'll reserve my personal opinion for the end, but wanted to present some thoughts, rebuttals and commentary on these here.  I'm going to address penetration testing in the context of web applications - but this can be allied virtually to any technology out there.

Let's first look at the arguments for penetration testing:

  • Penetration testing provies a hackers-eye view of your web application attack surface
  • Penetration testing provides an outsider's view of your web application attack surface 
  • Penetration testers will often find ways to manipulate your applications in ways your developers never thought possible
  • Penetration testing offers the client an opportunity to get a snapshot picture of your security posture
  • A penetration test goes more in-depth than a "security scan" by identifying and exploiting real weaknesses

    Those are some compelling points, to be sure.  Security is a very strange f1sh, it changes so drastically so often it's almost impossible to be entirely up-to-date all the time, unless that is your sole job.  This is precisely what penetration testers are great at - they focus their entire energy on researching, identifying, and exploiting security weaknesses in, in this example, web applications.  There really isn't any amount of "scanning" that an automated tool can do which will match the power and adaptive capability of the human mind - I don't think anyone will argue that - so the value of employing someone who is extremely versed in this sort of thing is akin to having your transmission looked at by a transmission-only specialist... you do it because you want to go to the expert.  There are varying degrees of expertise; of course, and let's not even try and disagree that you get what you pay for.  If you want a top-notch security expert, you're likely going to be hiring someone with a shady past, and it's going to cost a lot - but at least you know you're getting the top talent matching wits with your pro-active security measures.  But what about the other side of the coin?

Let's look at arguments against penetration testing:

  • Penetration testing can be argued to be a test of the 'tester' not the target
  • Penetration testing isn't an exact science, and rarely standardized
  • Penetration testing results are inconsistent
  • Penetration testing is too expensive
  • Penetration testing is only a snapshot in time

    With those arguments against penetration testing - how can one reasonably conclude it's a good idea?  Well, the fact of the matter is that penetration testing is expensive, inconsistent and rarely an exact, standardized process (unless you pick one of the top firms which have standardized).  Yes, sometimes the results are inconsistent and a mere snapshot in time, not an accurate assessment of your stategy as a whole.  The argument has also been made that a penetration test result is often a test of the "tester's" intelligence and hacking prowess, and not necessarily of the defenses... however I would say think twice about that argument.  Isn't that the point?  You hire the best, they put their mind to the test against your defenses?  So now the pros are weighed against the cons... and the money issue is always on the forefront of the decision to go one way or the other.  I will only offer you these words...Strike a balance in your strategy - but do not fail to test yourself.

    Remember, the right balance when it comes to penetration testing is in moderation.  You can't reasonably have a penetration test done once a week, as it would destroy your budget.  You also shouldn't do it once a year - as that's probably too rare.  The right balance is a combination of automated tools which you and your security team can use to self-assess plus a seasoned expert tester to check your sanity and environment.  Heed my warning... find your vulnerabilities because if you're not testing the security of your web applications - rest-assured someone else is.

Posted 04-04-2008 1:45 PM by Rafal Los
Filed under: , , , ,

Comments

Santosh Dhere wrote re: What's the point of "penetration testing"?
on 06-23-2008 1:51 AM

Hi,

Had few queries on the WebInspect's capabilities.

1. Does WebInspect provide better results compared to

pen testers ?

2. What testing would one do in addition to doing

WebInspect ?

3. Does WebInspect do compliance testing like PCI, SOX etc.

If so, does it need any specila module/license

Thanks, Santosh

RafalLos wrote re: What's the point of "penetration testing"?
on 06-27-2008 11:07 PM

1. I would never put the two against each other.  This is because an automated tool can never compare to an analytical mind, however, an automated tool can repeat the same task with much greater efficiency than a human.  6 of one, half-dozen of the other.  In other words, both a reasonably trained human and a tool (such as WebInspect) are required as they work off each other to where the sum is greater than its parts.

2. This is a question that could be an entire article in itself... but simply put - there are a wealth of other "tests" that can and should be performed during the rest of the application lifecycle.  I will state here and now that if a WebInspect pre-production scan is what you're building your enterprise application security strategy on - your program will fail.  You need to integrate security throughout the lifecycle to avoid becoming the "security speedbump"... but that's another article in itself (and will be in the future).

3. Yes, compliance is part of the reporting options; no - no separate license required.

Great questions - please feel free to contact me directly if you would like to join a workshop, or have a presentation sent your way.

Cheers.

What’s the point of "penetration testing"? | IT & Network Security Blog wrote What’s the point of "penetration testing"? | IT & Network Security Blog
on 07-13-2008 5:05 PM

Pingback from  What’s the point of "penetration testing"? | IT & Network Security Blog

rayn wrote re: What's the point of "penetration testing"?
on 07-22-2008 1:45 AM

Hi,

I only had a quick question which may be a bit out of the topic however you suggestion from a security professional view is valuable.

I have a heavy user testing acceptance and technical background in the IT field,  however security has been an aspect that I'm very much interested on and I was thinking in doing a CEH (certified ethical hacking) course as a start point.  

So my question is, will this course  be of any value into kick starting a career in security field?

Thanks,

RafalLos wrote re: What's the point of "penetration testing"?
on 07-22-2008 5:56 AM

@rayn:

 The CEH is just as valuable as any of the other alphabet-soup certifications (such as the MCSE for example).  The thing you have to remember is exams don't really tell your employer that you actually know anything, just that you can take a test and memorize.  I know this is a gross generalization and there are exceptions such as well-written exams like the CCIE and the CISSP (or so they tell me).

Personally I would advocate you find a decent job which will utilize your current skills and apply them  to a security capacity (such as penetration testing and let you move up as your security ninja skills improve.

It's all going to depend on what you want to do when you "grow up" in your career... and for you the CEH may just be a good place to start if you're at square -1.  For me... I still don't know what I want to be when I "grow up"... which is probably why I enjoy security so much.

Albert wrote re: What's the point of "penetration testing"?
on 11-25-2008 8:46 PM

Hi,

Please excuse my seemingly poor lack of knowledge as I am a junior web programmer, fresh out of University.  I have been in the role for less than 6 months.

What I would like to ask the real security pros. here is about penetration testing open source platforms.  Specifically these are Drupal (content management system) and magento (e-commerce platform).

What would your approach be to them?  I have read that core developers and module contributors should be testing their own code and hear that security is taken care of by these platforms.  Does this mean an independent pen. test is not required?

Thanks in advance.

RafalLos wrote re: What's the point of "penetration testing"?
on 11-26-2008 4:28 AM

@Albert:

 I will answer your question with another... perhaps to illustrate my point:

 If you were buying a house, and the builder said "trust us, we're doing a great job" wouldn't you go and check up on them yourself, just to make sure?

 Open-Source isn't magically more secure by any stretch of the imagination, it's just often times (but not always) more transparent.  You've got me thinking on the topic - so look for a new blog article on this issue shortly. :)

Albert wrote re: What's the point of "penetration testing"?
on 11-26-2008 11:00 PM

Thanks RafaLos.  

I am really excited and looking forward to that blog now.

Please let me know where the blog will be on this message board.

Thanks again

Add a Comment

(required)  
(optional)
(required)  
Remember Me?

Type the numbers and letters above:
Privacy Statement
Powered by Community Server (Non-Commercial Edition), by Telligent Systems