Kennedy noted that penetration testing should not be exclusively focused on vulnerability scanning. He pointed to the fallacy of treating the choice of penetration test type as a purely cost-based decision. This approach will always favour the cheaper path of automated vulnerability scans over the more expensive, but also vastly more thorough strategy of a full manual penetration test undertaken by a specialist. Kennedy remarked on the fact that an automated scan may produce a voluminous report, but this does not necessarily offer much useful information to the business, in terms of what needs to be done to address the core underlying issues: for that, a human specialist is required.
This point is endorsed by Briony Williams, a security consultant at commissum (see http://www.commissum.com/
This point is likewise seconded by Briony Williams of commissum, who remarks “The danger is that many companies who commission vulnerability scans may be lulled into the belief that a successful scan means their systems are secure. In reality, the scan is unable to dig down to the core issues in the way that a specialist tester can. While many testing firms have recently appeared, those who commission security testing should ensure that the company they select has independent certification in terms of full manual penetration testing. For example, commissum is a member company of CREST (Council of Registered Ethical Security Testers), and hence is accredited as regards performing full penetration tests. At commissum, we carry out many manual penetration tests and automated vulnerability scans, playing to the specific strengths of these two methodologies rather than attempting to use scanning as a substitute for full penetration testing.”
The debate sparked off by Dave Kennedy will no doubt continue for some time within the information security community. However, with the growing incidence of cyber-threats to organisations of all sizes and types, it is more important than ever that those who commission security testing should be clear about the strengths and limitations of each type of test.
# # #
commissum is a European company specialising in information assurance and security services for business and government. Services include penetration testing, information assurance consultancy, information security auditing, and configuration of systems.