Ted Harrington
So...
If you have a software system that protects valuable data or other assets, you probably want to have it tested for security vulnerabilities. That has perhaps led you to explore types of security assessments, and you’ve probably found that the most commonly referenced one is “penetration testing.” What many companies don’t realize, however, is that “penetration testing” often isn’t penetration testing at all. Worse yet, they don’t realize that they actually might need something else. When it comes to testing applications for security vulnerabilities, terms are used incorrectly all the time. If you don’t realize it’s happening, it can have dire consequences. Most people ask for penetration testing but are sold vulnerability scanning instead. However, what most people need is something else entirely: vulnerability assessments. Those are remarkably different things. Each requires different investment of time, effort and money. Each has different goals. Each produces different outcomes.
22
Penetration Testing The most commonly referenced type of security testing is “penetration testing.” That has become a catchall term, and, unfortunately, it’s misleading. Actual penetration testing is a tactical service suitable for robust, hardened, thoroughly tested systems. It’s a timeconstrained effort to measure a single outcome. For example, a penetration test might seek to determine “could an attacker escalate basic user privileges to admin rights?” The result is either yes or no. There is no other outcome. Penetration testing is excellent when you have a mature, welltested defence, and you want to determine if that defence still stands up to a simulated attack. Think of it like when a carmaker seeks to understand how a vehicle performs in a crash situation, so they crash it into a wall to see what happens. It’s great for understanding a specific scenario, but it is only suitable for a system that’s already been thoroughly tested. And it’s only intended to inform what happens in that particular scenario; it’s not intended to be holistic.
