Penetration Testing Grows Up

Selby says the most important thing about the enterprise user of a penetration testing tool is that he or she is not a "thrill seeker." "They have to be curious and creative, but just short of insurrectional. You don't want to turn a loose cannon around free in your network," Selby says. "You want to make sure the person has the intellectual curiosity and capability to run these tools without causing damage -- and [is] not [doing it] just for fun."

Meanwhile, PCI DSS has played a major role in making penetration testing more of a household name in the enterprise. PCI specifically requires penetration testing (PDF) of networks and applications either internally by an experienced pen tester within the enterprise or a third-party tester. Trident's Selby says it makes sense for enterprises -- especially those under PCI rules -- to run both internal penetration tests as well as hiring out external pen tests. "There's a great advantage to building [penetration testing] internally," namely that your organization is more informed when the external pen-testers do the job and provide their results, he says.

But penetration testing tools are still missing some key features to make them more appealing to a broader array of enterprises and users. Core's Arce says pen-testing tools in 2010 will "scale up" in size and in the number of times enterprises deploy them internally. And Rapid 7's Moore says reporting and analysis will improve in these tools: "The ability of scanning products to take it one step further, to should I care about that or not? Hopefully, we'll see some improvements in that," Moore says. "And more reporting/analysis so that when you find a something exploitable you can look around and find out what else you can do" with it, he says, noting that Core's product addresses some of this.

Ideally, the vulnerability scanner would be tied in with the pen-test exploit tools and automatically show you "where to focus" your efforts, Moore says.

Trident's Selby says workflow management and topology assessment need to be improved in pen-testing tools, as well as a better user interface. "Even in Core, which has a great user interface, you need a better graphical representation of where you are in the network and what you're looking at," Selby says.

Meanwhile, Core, Immunity, and Metasploit's penetration testing tools have evolved beyond the early days of mainly network pen tests, to testing Web applications and wireless networks for exploitable holes -- using both exploits and other hacks into weaknesses. "We're currently working on networks, operating systems, applications, client-side applications, users, wireless, and Web applications," Core's Arce says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.