It ain’t what you do it’s the way that you do it – that’s what gets results! The importance of Standardising Methodology in Penetration Testing.
By Jane Frankland, Commercial Director, Corsaire.
They say people are a company’s greatest asset but when it comes to penetration testing people are still the weakest link. When an organisation commissions a penetration test, should it be shocked to learn that the techniques used by many are failing to identify their vulnerabilities and are instead leaving them open to attack? This article proposes a different approach to penetration testing, one that focuses more on methodology than on software tools.
These days’ business applications, and in particular web applications, have become vital information assets within many organisations, providing access to (and therefore exposing) key data to internal staff, external partners and the public at large. However, with an onslaught of attacks, organisations are now facing increasing complexities in balancing the need to deliver information services, and manage data securely.
Securing an application is a complex, yet necessary requirement for almost all businesses. The uniqueness of each application brings a challenge to ensure that the security requirements (functional and non-functional) are established, designed and implemented effectively. Only through a thorough penetration test can the associated security threats, such as exposure, theft or modification of sensitive data, regulatory or commercial impacts, brand damage etc. be identified; the risks quantified, and suggested actions provided.
When an organisation commissions a penetration test the expectation is that these security threats will be identified. In practice, however, many are not and organisations are being left exposed and at risk to attack.
For any organisation, having a false belief that they have an accurate stance on their security posture can be as damaging as having no idea at all. To blame the quality of the penetration testers would be easy, but it could be unfair. No matter how experienced or well meaning they are, if the process isn’t well communicated and understood the results will be haphazard.
For this reason alone, a strong penetration testing methodology must be in place to ensure that the critical threats to the application, its data and the underlying infrastructure are mitigated to a sufficient level (risk driven), and also to identify lower impact, but important security issues.
A well defined methodology is paramount in any activity that requires repeatable results. With a methodology, the process of achieving a result can be studied and the results verified. Without one, accurate vulnerability identification, risk profiling and therefore assurance become very difficult. Methodology should be the foundation upon which assessment is built.
From a completely pragmatic point of view, a methodology helps to get things done. The most advanced tools are of little value if no one knows how to use them. A methodology helps to answer basic questions such as, "how do I accomplish this task?", or even, "what should I do next?" With a methodology, consultants are never left wondering where to start, or whether they are using a tool as intended.
Standardising a penetration testing methodology for all consultants to use is absolutely imperative as it ensures a consistent baseline between consultants and assessments. When a methodology does not have standardisation, approval, definition, scope and agreement then no one is responsible, and worse still consultants are doing their best in a wide and varied (and sometimes even kamikaze) way!
Using a standardised methodology should never mean stifling creativity though. It is an important element of a penetration test. To use the overnight security guard who follows the stated process as an example – each time he does his rounds, he checks that the same doors and windows are locked and secure but, as it’s not on his list, he walks right past the large hole in the wall. Good security consultants must be fast learners; able to think quickly, out-of-the box; to create and imagine new threats and attacks, and how they are going to be solved. But, they should only have the complete freedom to be creative in testing after they’ve followed the standardised methodology. After all, it is more science than art!
There are also major benefits surrounding knowledge sharing. Organisations with cultures of collaboration and communication will always increase the knowledge within their team. This can then spark creativity, assuming the methodology is updated as often as creativity yields results.
To conclude, there is no doubt that people are a company’s greatest asset. Good people can help things run smoothly, help profits grow, build goodwill and great reputations. But people are also a huge liability; they can make mistakes, destroy reputations and leave organisations in ruins. As more and more organisations use penetration tests to assess the validity and accuracy of their environments the likelihood of discovering discrepancies amongst suppliers and internal teams used will invariably increase. No matter how good the consultants are if there isn’t a culture of collaboration, of knowledge management and quality assurance throughout the team that is manifest in a standardised methodology, then basic security flaws will continue to be overlooked leaving the organisation exposed and at risk from attack.
