Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:40 PM
Vincent Liu
Vincent Liu
Connect Directly

The What And The Why Of Professional Penetration Testing

Welcome to the first in a series of posts on professional penetration testing. During the course of the next few entries, I will shed light on the often confusing and rarely straightforward world of penetration testing based on my experience during the past decade as both a professional penetration tester and a manager of penetration testing teams.

Welcome to the first in a series of posts on professional penetration testing. During the course of the next few entries, I will shed light on the often confusing and rarely straightforward world of penetration testing based on my experience during the past decade as both a professional penetration tester and a manager of penetration testing teams.A penetration test is a type of security assessment that simulates a real-world attack by a determined adversary against one or more of your target assets. These assets can be networks, applications, devices, infrastructure, or anything else you deem important enough to protect. What makes penetration testing unique is the actual exploitation of targets in a live environment. Unlike other forms of security assessments, penetration testing's approach really does mean that the penetration tester will attempt to actively exploit identified vulnerabilities and attempt to leverage any weaknesses within the targets to gain further access.

When deciding whether a pen test should be conducted, an organization should be trying to answer the following question: "Can someone break into my sensitive assets?" A penetration test's primary purpose is to breach the security of a target in as realistic a fashion as possible. By contrast, the focus of a pen test is not to identify as many vulnerabilities as possible, and it is not to calculate the risk that an asset poses. While hybrid variations do exist, in their pure form those types of security tests would be more accurately termed "vulnerability assessments" and "risk assessments," respectively.

As part of my job, I often encounter people who confuse the terms and wind up asking for one thing and wanting another. I've had clients ask me for penetration testing but to avoid performing any exploitation. Once I even had a client ask me for a "robot test" -- but that's neither here nor there. So remember that when requesting a penetration test, you're really asking for a real-world attack that involves exploiting your targets to determine whether their security can be compromised.

During the years, I've observed a steady increase in the use of penetration testing by organizations attempting to secure their systems. As recently as a few years ago, you would find that the vast majority of organization did not perform any kind of security testing. This is perhaps understandable, as they had no compelling reason to do so other than it being a "good idea" -- like flossing every day. But with the threats facing a company's assets growing in number and sophistication, there has been a corresponding increase in organizational awareness of these risks and an expansion in the effort taken to protect against them. So it should come as no surprise to see that several interested parties have begun pushing for the use of pen testing to validate the security of a system.

But why do organizations ask for penetration testing? In my experience, I've found that the most common reasons a company performs penetration testing to be the following:

  • Meeting a regulatory, industry, or customer requirement (e.g., FISMA, PCI, NERC CIP);
  • confirming the security of an application as part of the secure development life cycle;
  • validating a risk or vulnerability management program's effectiveness;
  • proving the (in)security of a system to make (or break) a case; and
  • demonstrating the real consequences of unaddressed vulnerabilities

By far the largest driver is the growing number of regulatory and industry requirements calling for this type of testing, usually on an annual basis. In addition, an increase in consumer awareness has prompted companies to also enforce stronger security requirements internally against their own systems as well as against any systems owned by third-party providers. To be blunt, these drivers amount to "because I said so" reasoning. And, of course, you comply if you want to pass the audit or win the business.

Penetration testing is also one of the first activities to be established by development organizations that are in the process of adopting or have already established an active application security program. Usually the pen testing is conducted alongside QA testing or as the final phase before release into production.

Penetration testing can also be used to determine the efficacy of established risk or vulnerability management programs. This type of testing can be seen as a form of security controls testing and is normally performed on an annual basis. Many companies also have security policies that mandate an annual penetration test. Less commonly, although frequent enough to warrant mention, pen testing can be used to prove the (in)security of a system or demonstrate the real world impact of insecure systems and unmitigated vulnerabilities.

Of course, there are many additional reasons for performing a penetration test, but whatever the driver, the test should fundamentally answer the question of whether the security of the system can be breached.

Stay tuned for the next entry in this series on professional penetration testing. I'll discuss the different types and variations of penetration tests in addition to beginning a larger discussion on the different skill levels of penetration testers.

Vincent Liu, CISSP, is a Managing Partner at Stach & Liu, a security consulting firm providing IT security services to the Fortune 1000 and global financial institutions, as well as U.S. and foreign governments. Before founding Stach & Liu, Vincent led the Attack & Penetration and Reverse Engineering teams for the Global Security unit at Honeywell International. Prior to that, he was a consultant with the Ernst & Young Advanced Security Centers and an analyst at the National Security Agency. He has presented his research at conferences including Black Hat, ToorCon, InfoSec World, SANS, and Microsoft BlueHat. Vincent has been published in interviews, journals, and books with highlights including "Hacking Exposed: Wireless" and "Hacking Exposed: Web Applications." Vincent Liu (CISSP) is a Partner at Bishop Fox, a cyber security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he oversees firm management, client matters, and strategy consulting. Vincent is a ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
There is a XSS vulnerability in the ticket overview screens. It's possible to collect various information by having an e-mail shown in the overview screen. Attack can be performed by sending specially crafted e-mail to the system and it doesn't require any user intraction. This issue affects: OTRS A...
PUBLISHED: 2021-06-16
A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
PUBLISHED: 2021-06-16
Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link vers...
PUBLISHED: 2021-06-16
Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search field. ...
PUBLISHED: 2021-06-16
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-5...