Getting the Most out of Penetration Testing
Not all penetration tests are the same. Some tests provide tremendous value for the relevant client. Others… less so.
Some of this difference in value comes from the testers themselves. Some testers have years of experience with scores of pentests on their resumes. Other testers have fancy certifications and the latest training techniques. While still other testers... know how to start a vulnerability scan. (see our previous post about the different types of pentests).
At the same time, there are differences in the clients who want a penetration test, which can be almost as important in the quality and ultimate value of the resulting tests. Here is a high-level, humorous breakdown of the different client personas that we have worked with in performing our penetration tests (any resemblance to real people is entirely coincidental):
Charlie is only interested in passing his security audit, which for some reason requires a penetration test this year (they skipped that requirement last year). Captain Compliance won’t attend the engagement kick-off meeting (and will only tell you he has a conflict 15 minutes after it has started), won’t respond to your emails (how many times can you say “per my previous email” before it gets rude?), and definitely won’t read the final report.
Krystie wants to reassure her customers and clients that her application is secure. She wants a security grade, a formal letter, or even skywriting, as long as it says she is following security best practices. Any issues identified during testing will be argued, debated, and dismissed as trivial. If the testers try to report a high risk issue, they will be fired on the spot.
Newman has never had a penetration test performed before against his environment. He is nervous and requires constant reassurance. His security knowledge is straight out of the early 90’s even though he is using all of the latest development frameworks. Newman does his best to keep the scope small and rejects any optional rule of engagement (“Is SQL injection testing really necessary?”).
Malcolm is representing his manager/director/executive who doesn’t have time to deal with third party contractors. Major Middle Man is doing his best, but he can’t make any real decisions, approve the rules of engagement, or answer any questions about scope. He will take notes and follow up… probably tomorrow… definitely this week… or next week… at some point. Meetings tend to devolve into small talk, jokes about the local sports teams, and comments about the heat.
Tracy is so confident in her security program that she has decided to flip the script. Between honeypots, false service banners, and rabbit holes, Tracy is using the engagement to test the testers. She requests hourly updates from both the testers and her security monitoring team while she leans back casually in her office chair, sips coffee, and quietly congratulates herself on her scheme.
Vivian Security Veteran
Vivian Security Veteran has managed penetration tests before, and it shows. She has a handle on the process, invites the relevant people, asks the right questions, and actively participates in every meeting. Her focus is always on security and while she hopes for a good report, she is prepared for bad news (she has the incident response playbook bookmarked).
Barry Blue Team
Barry manages the SOC (Security Operations Center) and wants to catch every test and activity from the penetration testers. He is using the penetration test as a skills test for his team. Any slips, mistakes, or report findings will be used to improve Barry’s process.
Following the theme of the value of penetration tests, the University of Kentucky recently discovered a security breach after a penetration test identified a vulnerability in one of the university’s websites. The university promptly analyzed the issue and, due to good logging, discovered that the issue had been previously exploited.
The security company, Cobalt, released a “State of Pentesting 2021” report that analyzes the results from over 1,600 tests. Based on their analysis, Cobalt concluded that security is being integrated more into development life cycles but security issues are still slipping through the cracks and that development teams are prone to delay remediating Medium and Low risk issues, which sometimes leads to bigger and more costly issues.
Google has released a tool, AllStars, to further help developers and software maintainers identify and resolve security issues. AllStars automates certain security tasks and checks project configurations to ensure appropriate settings are applied throughout the project.
Once again, reports on ransomware show that the number of attacks and the cost of payments is escalating. Dark Reading reports that 30% of ransomware payments in the top 12 months have topped $30 million.