The tweet from @jasonmoliver said, "I like to look at them as breadth vs depth. PT (pen-testing) was designed to be more of a depth test." I agree that pen testing does go to a depth that risk assessments can't. The primary reason is that risk assessments are more an intellectual "what if" exercise to determine the risk to a business.
A pen test is a technical exercise that determines the validity of one or more of the threats in the risk assessment and whether that threat (internal or external) could really get to the "crown jewels."
It's that last part that leads me back to what started the Twitter thread -- @jabra's blog post, "Goal Oriented Pentesting -- The new Process for Penetration Testing."
To be perfectly honest, I didn't think there was another way of doing a pen test. If you had asked me yesterday what a pen test was, I would have said it's a test to determine whether you get to the crown jewels of an organization. All of the pen tests I've been involved with have focused on the highest risk areas, and the goal has been to see if we can access that "high risk" system, data, or account.
Based on Jabra's post, I'm guessing there must be "blind" pen tests that companies are paying for where the pen tester is told to only "break in," but that seems pointless to me. Of course, they are going to break in -- unless there are some unreasonable time or scope constraints where it must be done within 24 hours, or they can only test five IP addresses.
For companies looking for a pen-testing firm, do your homework. Ask your peers who they use, get their thoughts on the deliverables after the pen test is over, and get a feel for the competency of the firm by talking to previous customers. Make sure you're not going to get the old bait-and-switch where you meet with a "rock star" pen tester who sells you his services only to later find out some junior tester (or intern) is doing the actual work.
And don't always settle on the cheapest. I don't want to use the "you get what you pay for" statement, but it often is the delineator between a real pen test and vulnerability scan report you could have run yourself.
John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.