There’s been increasing debate online and in the cybersecurity sector recently over both the future and current utility of penetration testing.
Some experts suggest that in its current form penetration testing is something of a waste of time whereas others believe that it remains a vital tool in ensuring effective cybersecurity.
Penetration tests, when properly scoped, highlight assets and functionality which can be abused by an attacker looking to gain access to an organization. However, poorly scoped penetration tests don’t always offer good value.
Often companies use penetration tests not because they genuinely want to test the security of their systems but rather as a way of appeasing an auditor or demonstrating compliance. If the motivation is simply to meet rigid compliance requirements, then the outcomes are often not useful.
Even worse, perhaps, some vendors appear to offer penetration testing but then charge a great deal of money to perform what is essentially a vulnerability & patch assessment scan using commercial off-the-shelf products. Then they take the report from the said product, re-badge it, and send it to a customer. Unhelpfully, this could tar all penetration testing companies, to whom such behavior is anathema, with the same negative brush.
Whilst just performing a vulnerability assessment does help as it can identify any low-hanging fruit that could be a potentially easy attack surface for script kiddies or professional attackers to focus on.
It is, however, a far cry from proper penetration testing which looks to leverage the penetration tester's years of experience and deviousness/cunning to use blended attacks to compromise the customer in a very similar way to how actual attacks may look to.
At the end of the engagement communicating the risk is one of the toughest challenges in both penetration testing and cybersecurity in general: how do we make the message intelligible to the recipient, especially if they don’t have a cyber background (as is the case for many decision makers).
Traditional pen-testing and vulnerability scanning can fall into this category — often the results of penetration tests are complex and potentially convoluted that the customer doesn’t derive the full benefit from them.
So, what’s the future for penetration testing likely to be?
If asked we would wager that most penetration testers would prefer to focus on the things that really matter, simulating realistic threats, rather than be bogged down by time-consuming vulnerability assessment-related tasks.
Perhaps if automation could be introduced to perform the mundane heavy lifting whilst providing the customer with deliverables tailored to their technical level/needs then valuable and highly specialist penetration testers could focus on areas really demanding their highly skilled attention namely attacking customers like they actually are attacked then even on a reduced overall spend the customer will get much better value.
So if you are thinking to make a career in penetration testing, you can join an online penetration testing course, the best place to start is with WsCube Tech. WsCube Tech provides a penetration testing certification course online as well as an offline course that provides students with all the technical knowledge and skills required for a successful career in hacking, hacking defense, or cyber forensics expert. By enrolling in one of the courses, students will receive a certificate of completion upon successfully completing the course and earning its certification.
Comments