Security Zone: penetration testing – define your objectives

Penetration testing is not always well understood by those purchasing such services. It is my belief that organisations could often obtain better value...

Penetration testing is not always well understood by those purchasing such services. It is my belief that organisations could often obtain better value for money by considering other security assessment techniques, writes Lee Newcombe, principal consultant at Capgemini.


I describe the whole spectrum of penetration testing, vulnerability assessment, configuration and process reviews as security assessment. I use the term penetration testing in a purist manner; a penetration test will attempt to circumvent the security features of the system under test and then examine how far the tester can extend their access into the target organisation. A penetration test is not necessarily a comprehensive assessment of the security of an organisation; one weakness is all the tester needs.

Penetration tests can include logical, physical and personnel aspects and may involve techniques such as social engineering. A vulnerability assessment should attempt to identify all known weaknesses within the assessment scope but should not attempt to leverage identified weaknesses to penetrate into the organisation. Exploitation may be required to verify the existence of the vulnerabilities uncovered during a vulnerability assessment to avoid the false positives often reported by automated tools.

Organisations must first understand the rationale underlying their security assessment requirements before scoping any testing. Is it to improve security? To raise awareness of the impact of a compromise? To meet compliance requirements?

If the aim is to improve security, consider configuration reviews (operating system, database, web server, firewalls, network equipment, etc) and a process review - it is dull work, but cost-effective and some testing firms charge less for this kind of job.

Configuration reviews highlight infrastructure weaknesses without the false positives/negatives associated with misidentification of services by a remote unauthenticated scan. They are great for improving infrastructure security, but when it comes to application-level security, more active testing such as penetration testing must be considered. Configuration reviews will not detect input validation, session management or logic errors within applications.

Raising awareness of the impact of a compromise among budget holders is another sensible driver for a penetration test - in the current climate pointing out that a tester obtained customer data inside a day of testing may loosen a few purse strings.

If bringing in a testing provider, choose a reputable one - are they registered under the Check or Crest schemes? Are they a QSA or ASV if dealing with PCI DSS requirements? Do they have a history of security research and good client references? Do they have a rigorous approach towards test containment that reduces the risk of disruption? Can they demonstrate the necessary specialist expertise if performing application level assessments?

Good infrastructure testing skills do not imply any capability to adequately check application-level security. If they use the terms penetration testing and vulnerability assessment interchangeably, run away fast.

A thorough understanding of security assessment techniques, and strong relationships with trusted testing providers, are a vital part of an effective overall security strategy. A poorly thought out approach risks expensive testing that provides little real assurance or worse, a great deal of false confidence.

Security Zone: read more advice from (ISC)2 qualified security professionals >>

Read more on Hackers and cybercrime prevention