Penetration Testing
All the CXO, security enthusiasts know this term – Pentest (Penetration Testing). What is pentesting and how has it evolved all these years? Is it catching up with the hackers of this century, or now this trend is just side tracked? Pentest as per Wikipedia, is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker.
Do you agree with this? If you or your fellow mate is a pentester, ask him. There has been a global change on how the pentesting is perceived by both sides of the table – the clients, as well as the consultants. Pentesting is no more in sync with an act of a hacker, or cracker; rather it is a checklist that the compliance team has to follow – the PCI, the HIPAA, blah blah. It was a deed of a handful of professionals but is now falling into hands of “anyone” who are employed by the security services firms. Now, what’s the deal here with the pentesters and what’s happening? The actual geeky work has been taken over by the tools, and the professionals are responsible for executing them, verifying the findings, and generating reports accordingly. Tools like Nessus, App Scan, Nmap, Metasploit, Core Impact etc. are pretty much self sustaining in the pentesting environment and soon they will even deliver a well drafted report as per the template supplied.
Any tool available in the security world handles 75% vulnerabilities, and companies are happy in fixing them. But, what about the rest of 25% vulnerabilities? Aren’t they important? Irony is this 25% should be of more concern to a company. Attacker, or hackers will use these 25% to compromise your resources rather than relying on 75% of shit hanging there which any script kiddie is able to run a tool and exploit. Initially there was a time (years back) when vulnerability scanning was on hype. But, soon it just got vanished in the dark clouds … and so will Penetration Testing. Firms hire professionals to pentest their network, servers, perimeter security controls and what’s the end result is a report which is 90% filled with findings of a tool or software, and some recommendations and remediation. The actual pentesting environment is fading exponentially fast.
An Update: I had to complete my blog, but someone shared THIS LINK (a highly recommended reading) with me meanwhile, and I can say there are other people who definitely agree with me and I am not an alien. This link says what’s all in my head in a better influential way.
Peace.
that’s more of a demand and supply issue as clearly stated in other place.
when you give a pentested 10 web applications and ask him to complete the work by EoD so that your boss can sing happy bells in front of client, this proves two things.
1) Clients only care about compliance coz that why they employee secuirty people.
2) when such small time is given you can only expact crap.
so basically now a days pentesting is
CRAP in CRAP out.
talking about research when a person gets time to raise his head then he can think of reasearch and never else.
yes, I agree to you Anant.
Pentesting is losing its essence as well as its effervescence! But, still I will suggest that is not because of Pen-Testers as sometimes the client deadlines are in crunch. and sometimes they are putting a tick in their checklist. Very few clients are really bothered about the “security” aspect and interview pen-testers before employing them!
Hoping for a better future.
Hi Rishi,
I think the process needs to be updated to provide us steps that introduces more extensive “threat profile”/”checklist” that covers each and every important aspect.The 3-5 day process can be something like this:
1.Understand network/application scope.
2.find your open ports/services/threats
3.build an extensive checklist/threat profile covering all checks for the open ports/services/threats and test cases of applications
4.Execute each and every test case from the checklist (record the screenshots and findings)
5.Categorise and report the findings with screenshots.
In parallel to this you can start automated scanning using nessus/appscan and confirm it manually later(won’t take more than a day).
Even if you follow this process 4-5 times you will feel great improvement in your skills.