Explaining Penetration Testing

Pen Testing...
No, not making sure your Bic has ink.

Penetration Testing is the art of compromising someone's system(s) at their request and showing them the results in hopes that something will be done about it. There is a lot of debate about what really happens before during and especially after this test is done. Many professionals have weighed in, including Marcus Ranum (Tenable Network Security) and HD Moore (Metasploit). You can hear a great podcast about Penetration testing at Risky Business.

There are tools that a penetration tester uses to find vulnerabilities in systems (and sometimes other things, such as trash). Once a vulnerability is found, there is another step and this one is more controversial - and where the arguments lie. Once a vulnerability is found, the tester actively exploits it and provides proof that the system is "PWNED". The third step is deciding what to do with the info. If the test results get dusty, then why do this in the first place? Make sure that if you have a test done, you act to secure your systems.

I would like to weigh in.

I read an article that prompted both my last post and this post. In the article Penetration Testing: Dead in 2009 (CSO online) you will see the following:

The concept as we know it is on its death bed, waiting to die and come back as something else. That doesn't mean pen testers will suddenly be unemployed, he said. It's just that they "won't be as cool" as they've been in more recent years.

Customers are clamoring more for preventative tools than tools that simply find the weaknesses that already exist, he said. They want to prevent holes from opening in the first place.


Kevin Riggins, a senior information security analyst for a company in the Des Moines, Iowa, area, said it's hard to argue with Chess' premise that the goal should be fewer failures. But he doesn't believe that sentiment has anything to do with the need for or the use of penetration testing. Furthermore, ... production monitoring and measuring and penetration testing do not address the same issue.
Let's pick this apart a little bit.

Mentioned in the quote is Brian Chess, co-founder and chief scientist of business software assurance (BSA) vendor Fortify Software Inc. Chess' aguement appears in the first two paragraphs of the quote

I agree with Chess, but would like to revise the manner in which it is stated. Penetration testing is prudent when you have limited resources for assessment. From my official schooling as a teacher, I know that the terms testing and assessment have two very different connotations.
  • Testing is a pressure situation in which a "snapshot" is taken of the state of the subject being tested (what do you know about the events of The War of 1812?).
  • Assessment is an ongoing trend in which an assessor takes many "snapshots" into account (Do you understand the overall concepts of war in the 19th century?).
  • Assessors are usually people that have regular dealings with that which is being assessed and provide a better insight into the person/thing being assessed. (from this, you can also tell that I find the term "Vulnerability assessment" a bit erroneous in most cases

I agree with the Mr. Riggins except for that "he doesn't believe that sentiment has anything to do with the need for or the use of penetration testing." Following the previous paragraph, I hope that more IT personnel will realize that paying an outsider to test your environment is detrimental to the overall understanding of your environment in that it makes your staff's priority to fix holes that they are handed (an excercise that fosters automated thought rather than real critical thinking) rather than continually assess the systems for possible exposures. Just make sure your task has the training and motivation to do a great job.

If assessment is done on a regular basis, I predict that FOI will decrease and systems will be more secure overall.

Posted on 9:53 PM by Tim Cronin and filed under | 17 Comments »


Marisa Fagan said... @ January 4, 2009 at 10:29 PM

Hi Tim,
Found you today via Jack Daniel's Uncommon Sense Security. I enjoyed your perspective on pen testing here. At Errata we do this kind of assessment frequently, but I believe are perceived quite differently each time based on the background knowledge of the client.

I look forward to reading more!


Tim Cronin said... @ February 20, 2009 at 12:43 AM

Thanks Marisa,

I'm always glad to hear that something I have said may have resounded with someone that is really involved in a subject.

Anonymous said... @ February 4, 2010 at 5:24 PM

Skip Idle Downloads With NZB Downloads You Can Hastily Search HD Movies, PC Games, MP3 Albums, Software & Download Them at Accelerated Speeds


Anonymous said... @ February 18, 2010 at 12:51 AM

Be in contact Our Risqu‚ Prices at www.Pharmashack.com, The Unequalled [b][url=http://www.pharmashack.com]Online Chemist's workshop [/url][/b] To [url=http://www.pharmashack.com]Buy Viagra[/url] Online ! You Can also Espy Greater Deals When You [url=http://www.pharmashack.com/en/item/cialis.html]Buy Cialis[/url] and When You You [url=http://www.pharmashack.com/en/item/levitra.html]Buy Levitra[/url] Online. We Also Tolerate in a Obscure Generic [url=http://www.pharmashack.com/en/item/phentermine.html]Phentermine[/url] As a counterirritant to Your Victuals ! We Wrangle away Superstar blemish [url=http://www.pharmashack.com/en/item/viagra.html]Viagra[/url] and Also [url=http://www.pharmashack.com/en/item/generic_viagra.html]Generic Viagra[/url] !

Anonymous said... @ March 7, 2010 at 10:27 PM

I read this forum since 2 weeks and now i have decided to register to share with you my ideas. [url=http://inglourious-seo.com]:)[/url]

Anonymous said... @ March 20, 2010 at 7:25 PM

You could easily be making money online in the undercover world of [URL=http://www.www.blackhatmoneymaker.com]blackhat seo tools[/URL], It's not a big surprise if you haven’t heard of it before. Blackhat marketing uses alternative or misunderstood methods to produce an income online.

Anonymous said... @ November 14, 2012 at 11:30 AM

clomid for men testosterone | buy clomid online without prescription - how to get clomid online, clomid pregnant first cycle

Anonymous said... @ January 2, 2013 at 1:17 AM

dating beaver falls pa http://loveepicentre.com w dating

Anonymous said... @ January 13, 2013 at 1:40 PM

[url=http://sverigeonlinecasino.net/ ]online casino [/url]of gold and all the valuables he carried about his person. They then http://onlinecasinose25.com online casino free internet casino of a rummagy-looking edifice, one half of which is devoted to soldiers'

Anonymous said... @ February 7, 2013 at 10:48 PM

marketing companies sell dating profiles http://loveepicentre.com/ ladyboys seeking sex marriage dating

Anonymous said... @ March 11, 2013 at 10:30 PM

setzer pharmacy rice street http://onlinemedistore.com/products/kamasutra-superthin-condoms.htm tennesse pharmacy license [url=http://onlinemedistore.com/products/neurontin.htm]pharmacy ada guidelines[/url]
pharmacy technician openings in albuquerque http://onlinemedistore.com/products/apcalis-oral-jelly.htm pharmacy jobs in austin texas [url=http://onlinemedistore.com/products/kamagra-soft.htm]kamagra soft[/url]
prescriptions solutions pharmacy http://onlinemedistore.com/products/silagra.htm the implications of the human tissue act 2004 for pharmacy [url=http://onlinemedistore.com/products/chloroquine.htm]multistate pharmacy jurisprudence exam[/url]
pfs pharmacy westerville http://onlinemedistore.com/products/nizoral.htm pharmacy benefit administration [url=http://onlinemedistore.com/products/exelon.htm]exelon[/url]

Anonymous said... @ March 25, 2013 at 9:14 PM

usa online pharmacy http://withoutprescription.co.uk/products/evista.htm pharmacy jobs harrisburg pa [url=http://withoutprescription.co.uk/products/purim.htm]jordan reses pharmacy[/url]
johnsons hometown pharmacy http://withoutprescription.co.uk/catalogue/h.htm essington pharmacy joliet [url=http://withoutprescription.co.uk/products/quibron-t.htm]quibron t[/url]
hyvee pharmacy http://withoutprescription.co.uk/products/roxithromycin.htm long chau pharmacy in vietnam [url=http://withoutprescription.co.uk/categories/erection-packs.htm]haw river pharmacy hours[/url]
radius pharmacy http://withoutprescription.co.uk/products/cialis.htm pharmacy birth control pill spain [url=http://withoutprescription.co.uk/products/hard-on.htm]hard on[/url]

Anonymous said... @ April 4, 2013 at 9:09 PM

hospital pharmacy jobs http://certifiedpharmacy.co.uk/products/lithium-carbonate.htm food city pharmacy [url=http://certifiedpharmacy.co.uk/products/ceftin.htm]med house valleydale pharmacy[/url]
pharmacy practice law http://certifiedpharmacy.co.uk/products/remeron.htm cvs pharmacy and 233 n michigan [url=http://certifiedpharmacy.co.uk/products/ed-discount-pack-1.htm]ed discount pack 1[/url]
finesteride 4mg online pharmacy http://certifiedpharmacy.co.uk/products/ventolin.htm careers in pharmacy [url=http://certifiedpharmacy.co.uk/products/detrol.htm]certified pharmacy tech board[/url]
pharmacist auditing jobs in pharmacy benefit managers http://certifiedpharmacy.co.uk/products/aldactone.htm post haste pharmacy [url=http://certifiedpharmacy.co.uk/products/lysexl.htm]lysexl[/url]

Anonymous said... @ April 7, 2013 at 8:17 AM

email spam folder check pharmacy vogue bulk junk mark replies http://certifiedpharmacy.co.uk/products/citalopram.htm human resources for cvs pharmacy [url=http://certifiedpharmacy.co.uk/products/periactin.htm]michael clearwater 24 hour pharmacy[/url]
hills pharmacy in vicksburg michigan http://certifiedpharmacy.co.uk/catalogue/s.htm pharmacy workers [url=http://certifiedpharmacy.co.uk/products/erectalis.htm]erectalis[/url]
pharmacy ratio strenghts http://certifiedpharmacy.co.uk/products/cleocin-gel.htm wall mart pharmacy [url=http://certifiedpharmacy.co.uk/products/diflucan.htm]cansdian pharmacy for you[/url]
top online pharmacy http://certifiedpharmacy.co.uk/products/ceftin.htm buy link pharmacy net top ultram [url=http://certifiedpharmacy.co.uk/products/hair-loss-cream.htm]hair loss cream[/url]

Anonymous said... @ April 8, 2013 at 5:04 PM

cvs pharmacy website http://certifiedpharmacy.co.uk/products/tegretol.htm district of columbia board of pharmacy [url=http://certifiedpharmacy.co.uk/products/generic-imitrex.htm]wsu requirements pharmacy technician[/url]
pharmacy vaiden ms http://certifiedpharmacy.co.uk/products/sumycin.htm thriftway pharmacy [url=http://certifiedpharmacy.co.uk/products/cystone.htm]cystone[/url]
the challenges in pharmacy http://certifiedpharmacy.co.uk/categories/sleeping-aid.htm rexall winnipeg pharmacy assiniboine [url=http://certifiedpharmacy.co.uk/products/shuddha-guggulu.htm]cvs pharmacy richmond va[/url]
herman miller pharmacy shelving http://certifiedpharmacy.co.uk/products/zetia.htm effexor pharmacy coupon [url=http://certifiedpharmacy.co.uk/products/triphala.htm]triphala[/url]

Anonymous said... @ April 14, 2013 at 3:42 AM

pharmacy new york city zip code 10001 http://englandpharmacy.co.uk/products/ampicillin.htm taylor pharmacy winter park [url=http://englandpharmacy.co.uk/products/cardizem.htm]pharmacy penegra weight loss silagra cumwithus c[/url]
ponchartrain pharmacy http://englandpharmacy.co.uk/products/paxil.htm cvs pharmacy mclean va [url=http://englandpharmacy.co.uk/products/tretinoin-cream-0-025-.htm]tretinoin cream 0 025 [/url]
description for pharmacy technician http://englandpharmacy.co.uk/products/cipro.htm ovweseas pharmacy mastercard klonopin [url=http://englandpharmacy.co.uk/products/baclofen.htm]pharmacy technician resume[/url]
pharmacy monographs http://englandpharmacy.co.uk/products/allopurinol.htm does pa regulate internet pharmacy [url=http://englandpharmacy.co.uk/products/lexapro.htm]lexapro[/url]

Anonymous said... @ May 24, 2013 at 3:16 AM

drakensberg rock art dating http://loveepicentre.com/ teen dating body lauguage
internet dating websites for seattle wa [url=http://loveepicentre.com/contact/]online dating for single parents[/url] matt leinart dating
herpes dating topeka female [url=http://loveepicentre.com/contact/]dishwasher dating[/url] pharrell and sweet 16 girl dating [url=http://loveepicentre.com/user/abhishek/]abhishek[/url] mixed mingles interracial dating