The Role of Penetration Testing in Vulnerability Risk Management

Reports in the news make it clear that the sophistication of cyber-attackers continues to evolve. So why do so many companies rely on an annual penetration test as the only safeguard against a cyber-attack? Some reasons include: lack of resources, limited budgets, insufficient leadership support, and organizational barriers. However, another reason is that the role of penetration testing in overall vulnerability risk management is not well understood.

What is the difference between pentesting and other security activities?

The PCI Security Standards Council states the following, “A vulnerability assessment simply identifies and reports noted vulnerabilities, whereas a penetration test attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible.” When NopSec performs a penetration test, the customer receives documented proof of specific systems that have been compromised.

When does penetration testing apply?

For many of our customers, penetration testing is the starting point on their IT security journey. More often than not, customers ask for our services in direct response to a compliance request from an auditor or industry regulator. Increasingly common is the request for a security evaluation from a business partner or potential client. NopSec often recommends a penetration test to determine a baseline of a company’s security posture. However, what we have discovered is that as a company’s security approach matures, their strategy shifts to more consistent and frequent identification and remediation of IT security vulnerabilities.

Addressing vulnerability risk management

In a past blog post titled, “What’s the matter with vulnerability management” our Chief Technology Officer explained that penetration testing and vulnerability assessments are merely steps in a vulnerability management process. That is worth restating; vulnerability management is a process. Effective vulnerability management is a technology challenge as well as an organizational and corporate culture challenge.

Vulnerability management addresses the phases between identification of the vulnerabilities (via vulnerability scanners) and the implementation of fixes. In our experience, organizational barriers can be the biggest inhibitor to successful vulnerability management. At its best, vulnerability risk management becomes part and parcel of how a company operates IT infrastructure and applications. For example, daily scans of a web application and immediate remediation by the development team of any vulnerabilities that are discovered. Security becomes something that happens proactively, not reactively. And certainly not once per year.

Learn more about NopSec’s proactive approach to vulnerability management and the methodology we use to secure applications and infrastructure from security breaches. Best Practices Guide: Vulnerability Management