The reality is that it is now coming up to twenty years that I have been delivering commercial Penetration Testing services, and in all that time I can think of only one client that actually wanted a genuine, dictionary-definition Penetration Test. Just one!
Why might that be? Because it is potentially a very expensive exercise, both from the perspective of the amount of effort required to actually break all the way into someone’s systems (especially when it might require identifying zero-day vulnerabilities and developing new exploit code to use them), plus also because there is a very real chance that delivering those exploits will impact on expensive production platforms.
Meanwhile, the daily reality for those delivering the projects is that they are almost always delayed to the eleventh hour, and time constrained to the point where there is barely enough to get the basics complete. And that’s even before you add in the headaches caused by unreliable, unavailable systems, and access-control mishaps. Once you factor all that in too, it means that there is rarely enough time to do more than note the presence of a new vulnerability, let alone to pursue it through to a fully working exploit (and no, popping a javascript alert box doesn’t count).
So at best, what is described as a Penetration Test is often little more than a comprehensive scan of vulnerabilities, topped-up with some manual verification of issues that the tools don’t do a very good job of finding. At worst? It’s not even that.
And what about the single, mythical client that actually wanted a real Penetration Test? Oh, that was a London council, where the IT Security Manager blew a big chunk of his budget on getting us to hack all the way into his (apparently much loathed) CEO’s desktop. Simply to prove a point.
Ah the ego. She is beautiful, no?
No comments:
Post a Comment