Maksim Kabakou - Fotolia

Security Think Tank: Pen testing should be about risk, not box-ticking

How can organisations ensure they get value from penetration and security testing services?

Penetration testing is one of those areas of security practice that can so easily become a tick-boxing exercise.

To get the most value out of penetration and security testing services, organisations need to bring them into a discussion centred on risk. They need to understand the risks they face, and articulate the impact these risks can have on their organisations.

Once the risks can be articulated – along with an understanding of their potential impact on the business, including the cost of remediation – tests and services can be designed to suit well-considered and understood objectives.  

Currently, we see every organisation being exhorted to carry out a penetration test at least once a year. Also, standards such as PCI-DSS 3.1 and Cyber Essentials Plus already require such a test.

Unfortunately, businesses often fail to get value from such an exercise for many of the reasons listed below:

  1. Not understanding what is being bought.
  2. Not testing the right thing(s).
  3. Not setting the right scope.
  4. Not testing before deployment or during development.
  5. Not having the will or the budget to correct the problems found.
  6. Not getting good testers.
  7. Not understanding what the final pen testing report is telling them.
  8. Not testing on a regular basis.
  9. Not testing after upgrades or other maintenance.

Security testing services are much wider in scope than penetration testing, but again suffer from the same issues. If vulnerability scans are limited in scope, poorly carried out, or the vulnerabilities discovered are not remediated, then the value derived will be limited.

Security professionals have developed techniques to optimise value – for example the (ISC)2 Certified Information Systems Security Professional (CISSP) CBK covers the ideas of “open” and “blind” scopes, as well as how they affect the effectiveness of the test. 

It is also important that management is willing to prioritise and invest in both the test and its outcomes. In software development, for example, these tests can quickly highlight errors or omissions before the product is completed and deployed; and they can catch common oversights, such as not using the Owasp Top 10, to assist in defensive programming.

The pressure to release software and products, however, continues to trump the desire to ensure robust testing. In short, value in any kind of testing requires a commitment to both understanding and achieving your objectives.

Adrian Davis is managing director for Europe at (ISC)2.

Read more on IT risk management