What is the future of Penetration Testing?

There’s been increasing debate online and in the cybersecurity sector recently over both the future and current utility of penetration testing.

Some experts suggest that in its current form penetration testing is something of a waste of time whereas others believe that it remains a vital tool in ensuring effective cybersecurity.

Both arguments have some merit

Penetration tests, when properly scoped, highlight assets and functionality which can be abused by an attacker looking to gain access to an organisation. However, poorly scoped penetration tests don’t always offer good value.

Often companies use penetration tests not because they genuinely want to test the security of their systems but rather as a way of appeasing an auditor or demonstrating compliance. If the motivation is simply to meet rigid compliance requirements, then the outcomes are often not useful.

Even worse, perhaps, some vendors appear to offer penetration testing but then charge a great deal of money to perform what is essentially a vulnerability & patch assessment scan using commercial off the shelf products. Then they take the report from said product, re-badge it, and send it to a customer. Unhelpfully, this could tar all penetration testing companies, to whom such behaviour is anathema, with the same negative brush.

Whilst just performing a vulnerability assessment does help as it can identify any low hanging fruit that could be a potentially easy attack surface for script kiddies or professional attackers to focus on. 

It is, however, a far cry from proper penetration testing which looks to leverage the penetration testers years of experience and deviousness/cunning  to use blended attacks to compromise the customer in a very similar way to how actual attacks may look to.

At the end of the engagement communicating the risk is one of the toughest challenges in both penetration testing and cybersecurity in general: how do we make the message intelligible to the recipient, especially if they don’t have a cyber background (as is the case for many decision makers).

Traditional pen-testing and vulnerability scanning can fall into this category - often the results of penetration tests are complex and potentially convoluted that the customer doesn’t derive the full benefit from them.

So, what’s the future for penetration testing likely to be?

If asked we would wager that most penetration testers would prefer to focus on the things that really matter, simulating realistic threats, rather than be bogged down by time-consuming vulnerability assessment related tasks.

Perhaps if automation could be introduced to perform the mundane heavy lifting whilst providing the customer with deliverables tailored to their technical level/needs then valuable and highly specialist penetration testers could focus on areas really demanding their highly skilled attention namely attacking customers like they actually are attacked then even on a reduced overall spend the customer will get much better value. Enter tools like CyberScore™.

Automation of the baseline security testing  allows the human tester to focus their time and expertise on actually simulating realistic threats. Rather than automation that aims to replace the human element, tools such as CyberScore™ are an enabling technology.

CyberScore™ has been designed so that a client can have a view of their security posture any time they wish, so that they can fix their ‘low hanging fruit’ issues themselves - meaning that when XQ Cyber (other vendors are available) are commissioned to perform a pen-test on a CyberScore™ customer, we are actively probing for and using the blended attacks which are used by attackers to infiltrate the network.

Thus, the client gets more value for money, and our testers are not sitting around drinking coffee whilst the vulnerability scanning software is at work.

For a potentially reduced overall spend the customer can get regular CyberScore™ assessments whilst still allowing their pen-test team to spend significantly more time than they were before on simulating realistic threat.

Here at XQ Cyber, we struggle to see how that does not represent good value for the customer and what the pen-test industry has been craving for ages.

For further reading check out:

https://www.xqcyber.com/cyberscore/show/this-cyber-red-teaming-lark

https://www.xqcyber.com/cyberscore/show/why-businesses-don-t-red-team

Want to learn more about how XQ CyberScore™  can help secure your business? Visit our website at www.xqcyber.com/cyberscore and if you want to give yourself the very best protection against cyber security threats try our CyberScore™  software for free now.

Follow us on FacebookTwitter and LinkedIn