Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:34 PM
Connect Directly

Penetration Testing, Vulnerability Scanning, And The Big Picture

New technologies aim to show organization's overall security posture

Getting a handle on an organization's true security posture can be like pinning down a moving target. But new features and technologies are becoming available that bring organizations closer to a true picture of where their actual risks lay -- and what they should do to about them.

Penetration testing firms Core Security and Rapid7, for instance, are rolling out new products and features that bring pen testing and vulnerability scanning to a different level. Core Security's new Core Insight, an automated testing platform that regularly pen tests and analyzes the exploitability of threats to a business, offers multiple dashboard levels of information and reports for security, IT, and businesspeople. The idea is to map the threats to the business' sensitive assets and operations.

Rapid7 in its commercial Metasploit products has been integrating its NeXpose vulnerability scanning with Metasploit penetration testing and making the output more user-friendly. It has done the same with the open-source Metasploit version, according to HD Moore, chief security officer for Rapid7 and the creator of Metasploit.

Core's Insight -- which is in beta and scheduled to ship on Dec. 15 -- basically integrates and extends pen testing and vulnerability scanning, experts say. "Certainly this is an extension of the two categories of products and bringing them together: The traditional low-touch vulnerability scan tends to be done in snapshots, and with the penetration test a human looks at, 'How far can I get in? Can I actually exploit this?' Bringing those two together gives you low and slow and continuous assessment," says Diana Kelley, partner with Security Curve. "And [this assessment] is automated, so you can do it all the time."

Kelley says the problem with periodic scanning and testing is that it captures "a point in time," which may not reflect all of the real risks as networks shift and change. "This is the next phase beyond, 'There I am, and I'll check it again in three months,'" she says. It's an approach akin to what WhiteHat Security does with its dynamic Web scanning, she says, but differs from security information and event management (SIEM) products because those tools focus on what has already occurred.

It's becoming increasingly important to be able to spell out what certain bugs and exploits actually mean risk-wise to your business applications and operations, she says.

That doesn't mean replacing the human pen tester, of course. "This isn't looking to replace humans," Kelley says. "It's just a way of getting pen-testing [information] into the hands of those who [aren't experienced] with it."

More intelligence and actionable information helps organizations with limited resources, security experts say. "We got a lot of feedback from organizations saying they were getting all of this information about what vulns they have, but they can't easily match them to their business risks or assets," says Alex Horan, director of product management for Core. "[Insight] fills the gap between vulnerability information and all the things the business cares about ... we show how it maps to their exposure and risk."

Rapid7's Moore says the reason vulnerability scanning and pen testing are coming together is that you can't do one without the other. "We see a lot of folks doing a NeXpose scan saying, 'What do I need to focus on first?' The penetration-testing angle helps identify what the priorities are -- even if you aren't penetration testing, you can use it to verify" the actual risks associated with the vulnerabilities that are found, he says.

"What we're trying to do with Metasploit Express and Pro is bring the pen-testing usability bar down a little bit" to non-pen-testing experts, he says. "If you have the skill set and want to, you can do a hands-on, deep dive. Or if you just want to verify vulnerabilities, the pen-test tools now automate that well enough now. You don't have to be a pen-test expert."

Moore warns that continuous pen testing, however, could be risky due to the possibility of crashing a server before you can fix the bugs that are discovered. "When that is automated, there are chances of knocking [something] out," he says. Moore says weekly pen tests are typically sufficient.

"There's definitely a convergence in penetration testing and vulnerability scanning, asset management," and similar tasks, he says. Organizations are asking what to fix first, and need ways to verify and validate that, he says.

Larry Whiteside, CISO of the Visiting Nurse Service of New York, is currently beta-testing Core Insight. Whiteside, who helped push Core to build the tool, says he doesn't have the resources to dig through all of the threats and vulnerabilities his tools find. He has a small security staff of two, including himself. "We have 80-plus developers on staff and no one has the bandwidth to be everywhere at the same time and doing all the testing," he says.

Whiteside had previously handed off the data from pen-test and vulnerability scans to nonsecurity staffers to help his team prioritize what to fix first. "That approach is not the best way, leaving it up to people who don't necessarily understand security as well as a person in the security group," he says. "I really wanted Core to deal with the automation and pen-testing function and forget about it ... and go back and say, 'You need to do this because this is exploitable,'" for example, he says.

He says the idea is to be more proactive in mitigating threats. "One of the big things I stress is that the reporting needs to ... have the capability that a nonsecurity person can understand it. So they can look at the dashboard, report, and understand exactly what happened," Whiteside says. "It would have reports that come out every time it scans, what happened, what you need to do to mitigate it, whether it's a configuration change ... this is what we recommend to do."

Visiting Nurse Service of New York's Whiteside says these capabilities don't overlap with SIEM, however. "SIEM is really an aggregation tool," he says.

Fred Pinkett, vice president of product management for Core, describes it this way: "SIEM is about activity on the network. We are more about security posture ... SIEM and SIM are like military intelligence, and we're about understanding where your forces are standing," he says. "This is two sides of the coin and both are necessary."

To that end, Core plans to eventually integrate Insight with SIEM and SIM products as well, according to Pinkett.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
The Data-Centric Path to Zero Trust
Altaz Valani, Director of Insights Research, Security Compass,  1/13/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-18
Missing Authorization vulnerability in McAfee Agent (MA) for Windows prior to 5.7.1 allows local users to block McAfee product updates by manipulating a directory used by MA for temporary files. The product would continue to function with out-of-date detection files.
PUBLISHED: 2021-01-18
All versions of package tornado are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configura...
PUBLISHED: 2021-01-18
The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with defa...
PUBLISHED: 2021-01-18
An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory allocation with excessive size vulnerability exists when reading malformed DGN files, which allows attackers to cause a crash, potentially enabling denial of service (crash, exit, or restart).
PUBLISHED: 2021-01-18
An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory corruption vulnerability exists when reading malformed DGN files. It can allow attackers to cause a crash, potentially enabling denial of service (Crash, Exit, or Restart).