Avoid this Mistake When Sourcing a Penetration Test

Understanding how to effectively evaluate and select a penetration testing vendor can be a challenging exercise. Frequently the problem comes down to an inaccurate or misaligned definition of “penetration testing services”. To be clear, you need to be sure you are getting a true penetration test and not just a vulnerability scan.

What’s the difference between a penetration test and vulnerability scan?

In many instances, the process starts out similar. The blog post, “An introduction to IT security assessments” provides more details. However, vulnerability scans and penetration tests are not synonymous. The remainder of this article outlines the primary differences.

Penetration tests are conducted by real people

A penetration test simulates a real-world attack, which requires a person at a computer actively attempting to exploit vulnerabilities and gain access to system resources. While there are automated elements to penetration testing, particularly during the reconnaissance phase, the work of discovering how to exploit and documenting the steps in exploiting vulnerabilities is a manual process. The information discovered during the various phases of testing must be intelligently fed back into the testing methodology. And of course this needs to be done without damaging or disrupting production services in your environment!

Penetration tests employ a methodology

There are a number of industry-recognized methodologies specific to penetration testing. Examples include: Open Source Security Testing Methodology, NIST 800-115, and others. You need to decide the level of confidence you have in the methodology and how comprehensive the penetration test needs to be in order to meet your risk tolerance and/or achieve compliance. Generally an experienced penetration testing will leverage the best practices across multiple frameworks.

Penetration tests leverage professional experience

Experience counts when it comes to IT security. An experienced penetration tester can quickly identify the systems, services and configurations that present possible vectors for attacks. They are able to look at the systems from a comprehensive perspective and consider past experiences that may lead to the detection of issues not initially apparent. Qualified penetration testers should have recognized industry credentials such as Certified Information System Security Professional and System Security Certified Practitioner.

Penetration tests require specialized reports

True penetration tests are characterized by defined goals, structured methodology, manual engagement and documented proof of vulnerability exploitation. You should receive a report that contains detailed information on what vulnerabilities were found, samples of where they were found, what it means, and specifics on how to mitigate and/or remediate the issues. You should be able to understand the tasks needed to resolve the risks identified and how much effort may be required to implement the recommended fixes.

The mistake to avoid when conducting a penetration test is to NOT confuse it with an automated vulnerability scan. You may find the blog post “How much does a penetration test cost?” a useful resource. Or learn more about all aspects of a successful penetration test by downloading the Best Practices Guide: Penetration Testing.