The Value of Penetration Testing

There is an argument against penetration testing that questions the value such activities provide compared to other assessment methods, such as vulnerability assessments. This argument tends to imply that any thing discoverable through a penetration test would be as easily found though other methods. Often, the proponents of this view will also emphasis the high rate of false negative that a penetration test provides.

By itself, a penetration test is not a comprehensive security posture assessment. The results of a pentest are strongly influenced by the time alloted to, and the skill of, the one performing the test. However, when combined with vulnerability assessments and audits of polices, a penetration test can provide valuable insight on how well your security program operates in the real world.

Penetration testing validates the findings of vulnerability assessments and the remediation process. Vulnerability assessments are excellent at identifying possible vectors for exploitation in a network, but can create false positives that make it difficult to calculate the associated risk. Penetration testing doesn't have an issue with false positives, you either succeed at exploiting a vulnerability or fail. Any successful attack by a pentester is indicative of a security vulnerability that has a functional exploit.

Penetration testing can assess non-technical aspects of security, such as physical security and employee security awareness. When including social engineering in a pentest, you are able to test the reaction of employees to malicious activity. Do employees recognize a suspicious person face-to-face? Are procedures being ignored in a way that open your network to a new attack? No automated assessment tool can interact with the physical world or evaluate the dynamics of human interaction.

Penetration testing provides documented threats and recommendations that can be used to build a business case for IT security. Because the immediate goal of a penetration test is to bypass security measures that someone spent many hours planning and implementing, it is common to get a little resistance when delivering the results. I understand the frustration that people feel when holes are discovered in their hard work. It is not the function of a pentest to point fingers and pass blame for problems. The results of a pentest can be used to develop internal policies and procedures, and as a tool for presenting the business value of IT security programs.

In a comprehensive review of your IT security program, penetration testing is a valuable tool that should not be neglected. There is no better way to validate your posture and demonstrate the need for vigilance then providing proof-of-concept attacks that could cost much more in terms of reputation and customer security if discovered by the bad guys first.