What is the future of penetration testing?
Maxine Eunson
Empowering C-Suite Leaders to Drive Growth, Innovation, and Lasting Impact Through Strategic Partnerships
There’s been increasing debate online and in the cybersecurity sector recently over both the future and current utility of penetration testing.
Some experts suggest that in its current form penetration testing is something of a waste of time whereas others believe that it remains a vital tool in ensuring effective cybersecurity.
Both arguments have some merit
Penetration tests, when properly scoped, highlight assets and functionality which can be abused by an attacker looking to gain access to an organisation. However, poorly scoped penetration tests don’t always offer good value.
Often companies use penetration tests not because they genuinely want to test the security of their systems but rather as a way of appeasing an auditor or demonstrating compliance. If the motivation is simply to meet rigid compliance requirements, then the outcomes are often not useful.
Even worse, perhaps, some vendors appear to offer penetration testing but then charge a great deal of money to perform what is essentially a vulnerability & patch assessment scan using commercial off the shelf products. Then they take the report from said product, re-badge it, and send it to a customer. Unhelpfully, this could tar all penetration testing companies, to whom such behaviour is anathema, with the same negative brush.
Whilst just performing a vulnerability assessment does help as it can identify any low hanging fruit that could be a potentially easy attack surface for script kiddies or professional attackers to focus on.
It is, however, a far cry from proper penetration testing which looks to leverage the penetration testers years of experience and deviousness/cunning to use blended attacks to compromise the customer in a very similar way to how actual attacks may look to.
At the end of the engagement communicating the risk is one of the toughest challenges in both penetration testing and cybersecurity in general: how do we make the message intelligible to the recipient, especially if they don’t have a cyber background (as is the case for many decision makers).
Traditional pen-testing and vulnerability scanning can fall into this category - often the results of penetration tests are complex and potentially convoluted that the customer doesn’t derive the full benefit from them.
So, what’s the future for penetration testing likely to be?
If asked, we would wager that most penetration testers would prefer to focus on the things that really matter, simulating realistic threats, rather than be bogged down by time-consuming vulnerability assessment related tasks.
Perhaps if automation could be introduced to perform the mundane heavy lifting whilst providing the customer with deliverables tailored to their technical level/needs then valuable and highly specialist penetration testers could focus on areas really demanding their highly skilled attention namely attacking customers like they actually are attacked then even on a reduced overall spend the customer will get much better value. Enter tools like CyberScore, provided to you as either a managed or unmanaged service by Gamma.
Automation of the baseline security testing allows the human tester to focus their time and expertise on actually simulating realistic threats. Rather than automation that aims to replace the human element, tools such as CyberScore are an enabling technology.
CyberScore has been designed so that a client can have a view of their security posture any time they wish, so that they can fix their ‘low hanging fruit’ issues themselves - meaning that when we are commissioned to perform a pen-test on a customer, we are actively probing for and using the blended attacks which are used by attackers to infiltrate the network.
Thus, the client gets more value for money, and our testers are not sitting around drinking coffee whilst the vulnerability scanning software is at work.
For a potentially reduced overall spend the customer can get regular CyberScore assessments whilst still allowing their pen-test team to spend significantly more time than they were before on simulating realistic threat.
I think this solution is just what the industry have been craving - to learn more about it or have a chat, reach out to me [email protected] or give me a call on 07458 064777.