Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/18/2009
06:07 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Penetration Testing Grows Up

Metasploit's expected entry into the commercial penetration testing market is the latest step toward making pen testing more mainstream

Penetration testing, once considered a risky practice for the enterprise and even a tool for evil hacking purposes, is becoming more of an accepted mainstream process in the enterprise mainly due to compliance requirements, more automated, user-friendly tools -- and most recently, the imminent arrival of a commercial offering based on the popular open-source Metasploit tool.

Rapid7's purchase of the Metasploit Project last month and its hiring of the renowned creator of Metasploit, HD Moore, demonstrate just how far penetration testing has come during the past 18 months, security analysts say. While some organizations still confuse penetration testing with the more pervasive vulnerability scanning, which searches for and pinpoints specific vulnerabilities and weaknesses, penetration testing is finally about to enter a new phase of commercial deployment, experts say.

Penetration testing basically puts the tester in the shoes of a would-be attacker, using exploits and attack combinations against a network or application to find where the actual exploitable weaknesses lay.

"This is an exciting time because we're starting see even the edgy [penetration testing providers] look to the enterprise as a viable market," says Nick Selby, managing director of Trident Risk Management, a Dallas-based security and consultancy firm. "The technology is more mature so that the more experienced and skilled penetration testers have better toolsets than ever...and the less experienced ones can do more of the low-hanging fruit work."

Penetration testing traditionally has been the domain of white hat hackers, as well as script kiddies and even black-hat types. But as leading penetration testing vendors Core Security Technologies and Immunity Inc. have struck partnerships with top vulnerability scanning vendors and worked on developing more user-friendly versions of their tools, pen testing has begun to gain broader appeal within the enterprise. Core has partnerships with eEye, GFI, IBM, Lumension, nCircle, Qualys, and Tenable, while Immunity is teamed up with Tenable, as well, for instance.

"Pen testing has been a bit too edgy up until now to fully integrate with the more safe and steady-as-she-goes vulnerability assessment scanning," Selby says. "But that's changing: Over the coming year, we'll see better integration with the existing partnerships Core and Immunity have. And with the rapid integration of Rapid7 and Metasploit, vulnerability assessment and penetration testing will become better defined in the minds of run-of-the-mill security specialists and managers."

Rapid7 has said it plans to enhance its NeXpose vulnerability management products, as well as its penetration testing services, with Metasploit technology. Although Rapid7 is still looking at just how it will combine these technologies, the company is considering keeping Metasploit a separate product that's heavily integrated with its existing vulnerability scanning product and pen-testing services.

Corey Thomas, vice president of products and operations at Rapid7, said recently the goal is for Metasploit's exploit technology to help determine which vulnerabilities found by NeXpose are exploitable.

Rapid7's Moore, who is the chief security officer there, says the old worries of a pen test knocking a server or service offline have been superseded by bigger concerns of what an attacker could do. The risk of an attacker doing serious damage has more enterprises starting to use pen-testing tools, or to hire out pen-testers. "If you have let the malware in, you might as well let the pen tester in," Moore says.

Meanwhile, even the profile of today's pen tester is changing -- albeit less rapidly -- as well. Traditionally the domain of security specialists and hackers, pen-testing duties are starting to fall to others in the enterprise as well.

Ivan Arce, CTO of Core, says when Core first started out, it was an internal security expert or outside consultant who used its tools. "It was a more technical person with knowledge about exploits and attacks and who could manually choose actions one by one," Arce says. "Over time as we've added automation and ease of use, the barrier to entry was lowered. Today, it's not [always] necessarily a pen tester" using the tools, he says. It's a network security professional, a vulnerability specialist, a Web security specialist, a security user, an auditor, or a developer. "I see that trend expanding and increasing in the future," he says.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20027
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
CVE-2021-32684
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
CVE-2021-34693
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
CVE-2021-27887
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...
CVE-2021-27196
PUBLISHED: 2021-06-14
Improper Input Validation vulnerability in Hitachi ABB Power Grids Relion 670 Series, Relion 670/650 Series, Relion 670/650/SAM600-IO, Relion 650, REB500, RTU500 Series, FOX615 (TEGO1), MSM, GMS600, PWC600 allows an attacker with access to the IEC 61850 network with knowledge of how to reproduce the...